├── sample-manifests ├── automation │ ├── rhacm-argocd │ │ └── gitops-templates │ │ │ ├── .gitignore │ │ │ ├── pre-reqs │ │ │ ├── sno-1 │ │ │ │ ├── namespace.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── bmh-secret.yaml │ │ │ │ └── pull-secret.yaml │ │ │ └── sno-2 │ │ │ │ ├── namespace.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── bmh-secret.yaml │ │ │ │ └── pull-secret.yaml │ │ │ ├── site-configs │ │ │ ├── fe-du-namespace.yaml │ │ │ ├── post-sync.yaml │ │ │ ├── pre-sync.yaml │ │ │ └── fe-du.yaml │ │ │ ├── site-policies │ │ │ ├── common-policies │ │ │ │ └── FE-common-ns.yaml │ │ │ ├── group-policies │ │ │ │ ├── FE-cnf-namespace.yaml │ │ │ │ └── FE-cnf.yaml │ │ │ ├── site-specific-policies │ │ │ │ ├── FE-LAB-namespace.yaml │ │ │ │ └── FE-LAB.yaml │ │ │ ├── pre-sync.yaml │ │ │ └── post-sync.yaml │ │ │ ├── hub-prereqs │ │ │ ├── kustomization.yaml │ │ │ ├── 07-rbac-mcs-sno.yaml │ │ │ ├── 02_pull_secret.yaml │ │ │ ├── 06_gitops-operator-install.yaml │ │ │ ├── 04_assisted-service.yaml │ │ │ ├── 01_clusterimageset.yaml │ │ │ ├── 00_pre-reqs.yaml │ │ │ └── 05_gitops-operator-icsp.yaml │ │ │ └── generate-localy.sh │ └── rhacm-alone │ │ ├── clusters │ │ ├── kustomization.yaml │ │ ├── sno-1 │ │ │ ├── 00_namespace.yaml │ │ │ ├── kustomization.yaml │ │ │ ├── 07_managedcluster.yaml │ │ │ ├── 01_pull_secret.yaml │ │ │ ├── 06_klusterletaddonconfig.yaml │ │ │ ├── 08_infraenv.yaml │ │ │ ├── 05_clusterdeployment.yaml │ │ │ ├── 04_agentcluster.yaml │ │ │ ├── 03_nmstate.yaml │ │ │ ├── 09_bmh.yaml │ │ │ └── 02_workload_partitioning.yaml │ │ └── sno-2 │ │ │ ├── 00_namespace.yaml │ │ │ ├── kustomization.yaml │ │ │ ├── 07_managedcluster.yaml │ │ │ ├── 01_pull_secret.yaml │ │ │ ├── 06_klusterletaddonconfig.yaml │ │ │ ├── 08_infraenv.yaml │ │ │ ├── 05_clusterdeployment.yaml │ │ │ ├── 03_nmstate.yaml │ │ │ ├── 09_bmh.yaml │ │ │ ├── 04_agentcluster.yaml │ │ │ └── 02_workload_partitioning.yaml │ │ ├── acm │ │ ├── kustomization.yaml │ │ ├── 00_acm-demo.yaml │ │ └── ztp-applications.yaml │ │ ├── cnf-configs │ │ ├── kustomization.yaml │ │ ├── pao │ │ │ ├── policy-pao48-profile-hp.yaml │ │ │ └── policy-pao48-profile-dell.yaml │ │ └── ptp │ │ │ └── policy-ptp-profile.yaml │ │ ├── acm-prereqs │ │ ├── kustomization.yaml │ │ ├── 01_clusterimageset.yaml │ │ ├── 02_pull_secret.yaml │ │ ├── 04_assisted-service.yaml │ │ ├── 00_pre-reqs.yaml │ │ └── 03_disconnected_mirror_config.yaml │ │ └── cnf-operators │ │ ├── kustomization.yaml │ │ ├── pao │ │ └── policy-pao48.yaml │ │ ├── sriov │ │ └── policy-sriov-operator.yaml │ │ ├── ptp │ │ └── policy-ptp-operator.yaml │ │ └── catalogsources │ │ └── policy-cs.yaml ├── spoke-mno │ ├── 05_ManagedCluster.yaml │ ├── 01_AI-pull-secret.yaml │ ├── 04_KlusterletAddonConfig.yaml │ ├── 03_ClusterDeployment.yaml │ ├── 06_InfraEnv.yaml │ ├── 02_AgentClusterInstall.yaml │ ├── create_spoke.sh │ ├── 07_BMH-spoke1-master0.yaml │ ├── 07_BMH-spoke1-master1.yaml │ └── 07_BMH-spoke1-master2.yaml ├── spoke-sno │ ├── 05_ManagedCluster.yaml │ ├── 01_AI-pull-secret.yaml │ ├── 04_KlusterletAddonConfig.yaml │ ├── 03_ClusterDeployment.yaml │ ├── 06_InfraEnv.yaml │ ├── 02_AgentClusterInstall.yaml │ ├── create_spoke_sno.sh │ └── 07_BMH-sno.yaml ├── hub │ ├── 06_AI-Optional-ServiceConfig.yaml │ ├── 03_AI-ClusterImageSet.yaml │ ├── 02_localVolume.yaml │ ├── 07_AI-pull-secret.yaml │ ├── 01_LSO.yaml │ ├── 08_AI-Operand.yaml │ └── 04_AI-Disconnected-MirrorConfig.yaml └── env ├── assets ├── ztp-pre-reqs.png ├── 8-hours-later.jpg ├── ztp-argocd-apps.png ├── rhacm-cnf-configs.png ├── rhacm-cnf-operators.png ├── ztp-flow-connected.png ├── ztp-rhacm-policies.png ├── ztp-flow-disconnected.png ├── ztp-policygen-workflow.png ├── rhacm-cluster-deployment.png ├── ztp-follow-policy-apply.png ├── ztp-follow-sno-deployment.png ├── ztp-follow-policy-apply-01.png └── ztp-follow-policy-apply-02.png ├── .github ├── labels.yml ├── workflows │ ├── label.yml │ ├── greetings.yml │ ├── broken-link-check.yml │ ├── auto-merge.yml │ ├── pre-commit.yml │ └── stale.yml └── dependabot.yml ├── .flake8 ├── tools ├── registry-start.sh ├── mirror-ocp-release.sh ├── cert-maker.sh ├── acm-downstream-image-sync.sh ├── mirror-ocp-full.sh └── mirror-olm.sh ├── docs ├── automation-massive-deployments-ztp.md └── prerequirements │ ├── mirror-ocp-release.md │ ├── acm-downstream-deployment-connected.md │ ├── host-internal-resources.md │ ├── acm-downstream-deployment-disconnected.md │ └── ocp4-ipi-deployment.md ├── .pre-commit-config.yaml ├── .yaspeller.json ├── .gitignore ├── README.md └── LICENSE /sample-manifests/automation/rhacm-argocd/gitops-templates/.gitignore: -------------------------------------------------------------------------------- 1 | # PolicyGen 2 | out/* 3 | -------------------------------------------------------------------------------- /sample-manifests/automation/rhacm-alone/clusters/kustomization.yaml: -------------------------------------------------------------------------------- 1 | bases: 2 | - sno-1 3 | - sno-2 4 | -------------------------------------------------------------------------------- /assets/ztp-pre-reqs.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jparrill/ztp-the-hard-way/HEAD/assets/ztp-pre-reqs.png -------------------------------------------------------------------------------- /sample-manifests/automation/rhacm-alone/acm/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - ztp-applications.yaml 3 | -------------------------------------------------------------------------------- /assets/8-hours-later.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jparrill/ztp-the-hard-way/HEAD/assets/8-hours-later.jpg -------------------------------------------------------------------------------- /assets/ztp-argocd-apps.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jparrill/ztp-the-hard-way/HEAD/assets/ztp-argocd-apps.png -------------------------------------------------------------------------------- /assets/rhacm-cnf-configs.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jparrill/ztp-the-hard-way/HEAD/assets/rhacm-cnf-configs.png -------------------------------------------------------------------------------- /.github/labels.yml: -------------------------------------------------------------------------------- 1 | # Add 'repo' label to any root file changes 2 | repo: 3 | - ./* 4 | 5 | docs: 6 | - docs/**/* 7 | -------------------------------------------------------------------------------- /assets/rhacm-cnf-operators.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jparrill/ztp-the-hard-way/HEAD/assets/rhacm-cnf-operators.png -------------------------------------------------------------------------------- /assets/ztp-flow-connected.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jparrill/ztp-the-hard-way/HEAD/assets/ztp-flow-connected.png -------------------------------------------------------------------------------- /assets/ztp-rhacm-policies.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jparrill/ztp-the-hard-way/HEAD/assets/ztp-rhacm-policies.png -------------------------------------------------------------------------------- /assets/ztp-flow-disconnected.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jparrill/ztp-the-hard-way/HEAD/assets/ztp-flow-disconnected.png -------------------------------------------------------------------------------- /assets/ztp-policygen-workflow.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jparrill/ztp-the-hard-way/HEAD/assets/ztp-policygen-workflow.png -------------------------------------------------------------------------------- /assets/rhacm-cluster-deployment.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jparrill/ztp-the-hard-way/HEAD/assets/rhacm-cluster-deployment.png -------------------------------------------------------------------------------- /assets/ztp-follow-policy-apply.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jparrill/ztp-the-hard-way/HEAD/assets/ztp-follow-policy-apply.png -------------------------------------------------------------------------------- /assets/ztp-follow-sno-deployment.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jparrill/ztp-the-hard-way/HEAD/assets/ztp-follow-sno-deployment.png -------------------------------------------------------------------------------- /assets/ztp-follow-policy-apply-01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jparrill/ztp-the-hard-way/HEAD/assets/ztp-follow-policy-apply-01.png -------------------------------------------------------------------------------- /assets/ztp-follow-policy-apply-02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jparrill/ztp-the-hard-way/HEAD/assets/ztp-follow-policy-apply-02.png -------------------------------------------------------------------------------- /sample-manifests/automation/rhacm-alone/clusters/sno-1/00_namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: sno-1 6 | -------------------------------------------------------------------------------- /sample-manifests/automation/rhacm-alone/clusters/sno-2/00_namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: sno-2 6 | -------------------------------------------------------------------------------- /.flake8: -------------------------------------------------------------------------------- 1 | [flake8] 2 | ignore = E203, E266, E501, W503, F403, F401, E402, E722, C901 3 | max-line-length = 79 4 | max-complexity = 18 5 | select = B,C,E,F,W,T4,B9 6 | -------------------------------------------------------------------------------- /sample-manifests/automation/rhacm-argocd/gitops-templates/pre-reqs/sno-1/namespace.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: sno-1 5 | labels: 6 | name: sno-1 7 | -------------------------------------------------------------------------------- /sample-manifests/automation/rhacm-argocd/gitops-templates/pre-reqs/sno-2/namespace.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: sno-2 5 | labels: 6 | name: sno-2 7 | -------------------------------------------------------------------------------- /sample-manifests/automation/rhacm-alone/cnf-configs/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - pao/policy-pao48-profile-dell.yaml 3 | - pao/policy-pao48-profile-hp.yaml 4 | - ptp/policy-ptp-profile.yaml 5 | -------------------------------------------------------------------------------- /sample-manifests/automation/rhacm-argocd/gitops-templates/site-configs/fe-du-namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: fe-lab 6 | labels: 7 | name: fe-lab 8 | -------------------------------------------------------------------------------- /sample-manifests/automation/rhacm-alone/acm-prereqs/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - 01_clusterimageset.yaml 3 | - 02_pull_secret.yaml 4 | - 03_disconnected_mirror_config.yaml 5 | - 04_assisted-service.yaml 6 | -------------------------------------------------------------------------------- /sample-manifests/automation/rhacm-argocd/gitops-templates/site-policies/common-policies/FE-common-ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: common 6 | labels: 7 | name: common 8 | -------------------------------------------------------------------------------- /sample-manifests/automation/rhacm-alone/cnf-operators/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - catalogsources/policy-cs.yaml 3 | - pao/policy-pao48.yaml 4 | - ptp/policy-ptp-operator.yaml 5 | - sriov/policy-sriov-operator.yaml 6 | -------------------------------------------------------------------------------- /sample-manifests/automation/rhacm-argocd/gitops-templates/site-policies/group-policies/FE-cnf-namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: group-du-sno 6 | labels: 7 | name: group-du-sno 8 | -------------------------------------------------------------------------------- /sample-manifests/spoke-mno/05_ManagedCluster.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cluster.open-cluster-management.io/v1 2 | kind: ManagedCluster 3 | metadata: 4 | name: mgmt-spoke1 5 | namespace: mgmt-spoke1 6 | spec: 7 | hubAcceptsClient: true 8 | -------------------------------------------------------------------------------- /sample-manifests/spoke-sno/05_ManagedCluster.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cluster.open-cluster-management.io/v1 2 | kind: ManagedCluster 3 | metadata: 4 | name: mgmt-spoke1 5 | namespace: mgmt-spoke1 6 | spec: 7 | hubAcceptsClient: true 8 | -------------------------------------------------------------------------------- /sample-manifests/automation/rhacm-argocd/gitops-templates/pre-reqs/sno-1/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - bmh-secret.yaml 5 | - namespace.yaml 6 | - pull-secret.yaml 7 | -------------------------------------------------------------------------------- /sample-manifests/automation/rhacm-argocd/gitops-templates/pre-reqs/sno-2/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - bmh-secret.yaml 5 | - namespace.yaml 6 | - pull-secret.yaml 7 | -------------------------------------------------------------------------------- /sample-manifests/automation/rhacm-argocd/gitops-templates/site-policies/site-specific-policies/FE-LAB-namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: fe-lab-policies 6 | labels: 7 | name: fe-lab-policies 8 | -------------------------------------------------------------------------------- /sample-manifests/hub/06_AI-Optional-ServiceConfig.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: assisted-service-config 5 | namespace: open-cluster-management 6 | labels: 7 | app: assisted-service 8 | data: 9 | LOG_LEVEL: "debug" 10 | -------------------------------------------------------------------------------- /sample-manifests/automation/rhacm-argocd/gitops-templates/pre-reqs/sno-1/bmh-secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: sno-1-master0 5 | namespace: sno-1 6 | data: 7 | username: YWRtaW4= 8 | password: YWRyb2dhbGxvcA== 9 | type: Opaque 10 | -------------------------------------------------------------------------------- /sample-manifests/automation/rhacm-argocd/gitops-templates/pre-reqs/sno-2/bmh-secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: sno-2-master0 5 | namespace: sno-2 6 | data: 7 | username: YWRtaW4= 8 | password: YWRyb2dhbGxvcA== 9 | type: Opaque 10 | -------------------------------------------------------------------------------- /sample-manifests/env: -------------------------------------------------------------------------------- 1 | export DEFAULT_SNAPSHOT="2.3.0-DOWNSTREAM-2021-06-25-01-44-45" 2 | export KUBECONFIG=${HOME}/ipv6/mgmt-hub/auth/kubeconfig 3 | export CUSTOM_REGISTRY_REPO=bm-cluster-1-hyper.e2e.bos.redhat.com:5000/rhacm2 4 | export COMPOSITE_BUNDLE=true 5 | export DEBUG=true 6 | -------------------------------------------------------------------------------- /sample-manifests/hub/03_AI-ClusterImageSet.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: hive.openshift.io/v1 3 | kind: ClusterImageSet 4 | metadata: 5 | name: openshift-v4.8.0 6 | namespace: open-cluster-management 7 | spec: 8 | releaseImage: bm-cluster-1-hyper.e2e.bos.redhat.com:5000/ocp4:4.8.0-rc.1-x86_64 9 | -------------------------------------------------------------------------------- /sample-manifests/automation/rhacm-argocd/gitops-templates/hub-prereqs/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - 01_clusterimageset.yaml 3 | - 02_pull_secret.yaml 4 | - 03_disconnected_mirror_config.yaml 5 | - 04_assisted-service.yaml 6 | - 05_gitops-operator-icsp.yaml 7 | - 06_gitops-operator-install.yaml 8 | -------------------------------------------------------------------------------- /sample-manifests/automation/rhacm-alone/acm-prereqs/01_clusterimageset.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: hive.openshift.io/v1 3 | kind: ClusterImageSet 4 | metadata: 5 | name: openshift-v4.8.0 6 | namespace: open-cluster-management 7 | spec: 8 | releaseImage: bm-cluster-1-hyper.e2e.bos.redhat.com:5000/ocp4:4.8.2-x86_64 9 | -------------------------------------------------------------------------------- /.github/workflows/label.yml: -------------------------------------------------------------------------------- 1 | name: "Label PRs from globs" 2 | on: 3 | schedule: 4 | - cron: "0 */5 * * 1-5" 5 | 6 | jobs: 7 | execute: 8 | runs-on: ubuntu-latest 9 | steps: 10 | - uses: jpmcb/prow-github-actions@v1.1.3 11 | with: 12 | jobs: 'pr-labeler' 13 | github-token: "${{ secrets.GITHUB_TOKEN }}" 14 | -------------------------------------------------------------------------------- /sample-manifests/automation/rhacm-alone/clusters/sno-1/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - 00_namespace.yaml 3 | - 01_pull_secret.yaml 4 | - 02_workload_partitioning.yaml 5 | - 03_nmstate.yaml 6 | - 04_agentcluster.yaml 7 | - 05_clusterdeployment.yaml 8 | - 06_klusterletaddonconfig.yaml 9 | - 07_managedcluster.yaml 10 | - 08_infraenv.yaml 11 | - 09_bmh.yaml 12 | -------------------------------------------------------------------------------- /sample-manifests/automation/rhacm-alone/clusters/sno-2/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - 00_namespace.yaml 3 | - 01_pull_secret.yaml 4 | - 02_workload_partitioning.yaml 5 | - 03_nmstate.yaml 6 | - 04_agentcluster.yaml 7 | - 05_clusterdeployment.yaml 8 | - 06_klusterletaddonconfig.yaml 9 | - 07_managedcluster.yaml 10 | - 08_infraenv.yaml 11 | - 09_bmh.yaml 12 | -------------------------------------------------------------------------------- /sample-manifests/automation/rhacm-argocd/gitops-templates/hub-prereqs/07-rbac-mcs-sno.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | kind: ClusterRole 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | name: rbac-mcs-sno 6 | rules: 7 | - apiGroups: ["cluster.open-cluster-management.io"] 8 | resources: ["managedclustersets/join"] 9 | resourceNames: ["*"] 10 | verbs: ["create"] 11 | -------------------------------------------------------------------------------- /sample-manifests/automation/rhacm-argocd/gitops-templates/hub-prereqs/02_pull_secret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: assisted-deployment-pull-secret 6 | namespace: open-cluster-management 7 | stringData: 8 | .dockerconfigjson: '{"auths":{"bm-cluster-1-hyper.e2e.bos.redhat.com:5000":{"auth":"ZHVtbXk6ZHVtbXk="}}}' 9 | type: kubernetes.io/dockerconfigjson 10 | -------------------------------------------------------------------------------- /.github/workflows/greetings.yml: -------------------------------------------------------------------------------- 1 | name: Greetings 2 | 3 | on: [pull_request_target, issues] 4 | 5 | jobs: 6 | greeting: 7 | runs-on: ubuntu-latest 8 | steps: 9 | - uses: actions/first-interaction@v1.1.1 10 | with: 11 | repo-token: ${{ secrets.GITHUB_TOKEN }} 12 | issue-message: 'Thank you for raising this issue' 13 | pr-message: 'Thank you for making this first PR' 14 | -------------------------------------------------------------------------------- /.github/workflows/broken-link-check.yml: -------------------------------------------------------------------------------- 1 | on: 2 | schedule: 3 | - cron: "0 22 * * 1-5" 4 | repository_dispatch: # run manually 5 | types: [check-link] 6 | # push: 7 | # ... 8 | 9 | name: Broken Link Check 10 | jobs: 11 | check: 12 | name: Broken Link Check 13 | runs-on: ubuntu-latest 14 | steps: 15 | - name: Broken Link Check 16 | uses: technote-space/broken-link-checker-action@v2 17 | -------------------------------------------------------------------------------- /sample-manifests/automation/rhacm-alone/clusters/sno-1/07_managedcluster.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: cluster.open-cluster-management.io/v1 3 | kind: ManagedCluster 4 | metadata: 5 | name: sno-1 6 | namespace: sno-1 7 | labels: 8 | name: sno-1 9 | infra: "faregde" 10 | server: "HP" 11 | pao: "true" 12 | sriov: "true" 13 | sno: "true" 14 | spec: 15 | hubAcceptsClient: true 16 | leaseDurationSeconds: 60 17 | -------------------------------------------------------------------------------- /sample-manifests/hub/02_localVolume.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: local.storage.openshift.io/v1 2 | kind: LocalVolume 3 | metadata: 4 | name: fs 5 | namespace: openshift-local-storage 6 | spec: 7 | logLevel: Normal 8 | managementState: Managed 9 | storageClassDevices: 10 | - devicePaths: 11 | - /dev/sdb 12 | - /dev/sdc 13 | fsType: ext4 14 | storageClassName: fs-lso 15 | volumeMode: Filesystem 16 | -------------------------------------------------------------------------------- /.github/workflows/auto-merge.yml: -------------------------------------------------------------------------------- 1 | name: auto-merge dependabot 2 | 3 | on: 4 | pull_request: 5 | 6 | jobs: 7 | auto-merge: 8 | runs-on: ubuntu-latest 9 | steps: 10 | - uses: actions/checkout@v3 11 | - uses: ahmadnassri/action-dependabot-auto-merge@v2.6 12 | if: github.actor == 'dependabot[bot]' || github.actor == 'dependabot-preview[bot]' 13 | with: 14 | target: minor 15 | github-token: "${{ secrets.GHA }}" 16 | -------------------------------------------------------------------------------- /sample-manifests/automation/rhacm-alone/clusters/sno-2/07_managedcluster.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: cluster.open-cluster-management.io/v1 3 | kind: ManagedCluster 4 | metadata: 5 | name: mgmt-spoke1-sno-2 6 | namespace: mgmt-spoke1-sno-2 7 | labels: 8 | name: mgmt-spoke1-sno-2 9 | infra: "faregde" 10 | server: "HP" 11 | pao: "true" 12 | sriov: "false" 13 | sno: "true" 14 | spec: 15 | hubAcceptsClient: true 16 | leaseDurationSeconds: 60 17 | -------------------------------------------------------------------------------- /sample-manifests/spoke-mno/01_AI-pull-secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: assisted-deployment-pull-secret 5 | namespace: mgmt-spoke1 6 | stringData: 7 | .dockerconfigjson: '{"auths":{"registry.ci.openshift.org":{"auth":"dXNlcjiZ3dasdNTSFffsafzJubE80LVYngtMlRGdw=="},"registry.svc.ci.openshift.org":{"auth":"dasdaddjo3b1NwNlpYX2kyVLacctNcU9F"},"quay.io":{"auth":"b3BlbnNoaWZ0LXJlbGGMVlTNkk1NlVQUQ==","lab-installer.lab-net:5000":{"auth":"ZHVtbXk6ZHVtbXk=","email":"jhendrix@karmalabs.com"}}}' 8 | type: kubernetes.io/dockerconfigjson 9 | -------------------------------------------------------------------------------- /sample-manifests/spoke-sno/01_AI-pull-secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: assisted-deployment-pull-secret 5 | namespace: mgmt-spoke1 6 | stringData: 7 | .dockerconfigjson: '{"auths":{"registry.ci.openshift.org":{"auth":"dXNlcjiZ3dasdNTSFffsafzJubE80LVYngtMlRGdw=="},"registry.svc.ci.openshift.org":{"auth":"dasdaddjo3b1NwNlpYX2kyVLacctNcU9F"},"quay.io":{"auth":"b3BlbnNoaWZ0LXJlbGGMVlTNkk1NlVQUQ==","lab-installer.lab-net:5000":{"auth":"ZHVtbXk6ZHVtbXk=","email":"jhendrix@karmalabs.com"}}}' 8 | type: kubernetes.io/dockerconfigjson 9 | -------------------------------------------------------------------------------- /sample-manifests/hub/07_AI-pull-secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: assisted-deployment-pull-secret 5 | namespace: open-cluster-management 6 | stringData: 7 | .dockerconfigjson: '{"auths":{"registry.ci.openshift.org":{"auth":"dXNlcjiZ3dasdNTSFffsafzJubE80LVYngtMlRGdw=="},"registry.svc.ci.openshift.org":{"auth":"dasdaddjo3b1NwNlpYX2kyVLacctNcU9F"},"quay.io":{"auth":"b3BlbnNoaWZ0LXJlbGGMVlTNkk1NlVQUQ==","lab-installer.lab-net:5000":{"auth":"ZHVtbXk6ZHVtbXk=","email":"jhendrix@karmalabs.com"}}}' 8 | type: kubernetes.io/dockerconfigjson 9 | -------------------------------------------------------------------------------- /sample-manifests/automation/rhacm-alone/clusters/sno-2/01_pull_secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: assisted-deployment-pull-secret-sno-2 5 | namespace: sno-2 6 | stringData: 7 | .dockerconfigjson: '{"auths":{"registry.ci.openshift.org":{"auth":"dXNlcjiZ3dasdNTSFffsafzJubE80LVYngtMlRGdw=="},"registry.svc.ci.openshift.org":{"auth":"dasdaddjo3b1NwNlpYX2kyVLacctNcU9F"},"quay.io":{"auth":"b3BlbnNoaWZ0LXJlbGGMVlTNkk1NlVQUQ==","lab-installer.lab-net:5000":{"auth":"ZHVtbXk6ZHVtbXk=","email":"jhendrix@karmalabs.com"}}}' 8 | type: kubernetes.io/dockerconfigjson 9 | -------------------------------------------------------------------------------- /sample-manifests/automation/rhacm-alone/clusters/sno-1/01_pull_secret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: assisted-deployment-pull-secret-sno-1 6 | namespace: sno-1 7 | stringData: 8 | .dockerconfigjson: '{"auths":{"registry.ci.openshift.org":{"auth":"dXNlcjiZ3dasdNTSFffsafzJubE80LVYngtMlRGdw=="},"registry.svc.ci.openshift.org":{"auth":"dasdaddjo3b1NwNlpYX2kyVLacctNcU9F"},"quay.io":{"auth":"b3BlbnNoaWZ0LXJlbGGMVlTNkk1NlVQUQ==","lab-installer.lab-net:5000":{"auth":"ZHVtbXk6ZHVtbXk=","email":"jhendrix@karmalabs.com"}}}' 9 | type: kubernetes.io/dockerconfigjson 10 | -------------------------------------------------------------------------------- /sample-manifests/automation/rhacm-alone/acm-prereqs/02_pull_secret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: assisted-deployment-pull-secret 6 | namespace: open-cluster-management 7 | stringData: 8 | .dockerconfigjson: '{"auths":{"registry.ci.openshift.org":{"auth":"dXNlcjiZ3dasdNTSFffsafzJubE80LVYngtMlRGdw=="},"registry.svc.ci.openshift.org":{"auth":"dasdaddjo3b1NwNlpYX2kyVLacctNcU9F"},"quay.io":{"auth":"b3BlbnNoaWZ0LXJlbGGMVlTNkk1NlVQUQ==","lab-installer.lab-net:5000":{"auth":"ZHVtbXk6ZHVtbXk=","email":"jhendrix@karmalabs.com"}}}' 9 | type: kubernetes.io/dockerconfigjson 10 | -------------------------------------------------------------------------------- /sample-manifests/spoke-mno/04_KlusterletAddonConfig.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: agent.open-cluster-management.io/v1 2 | kind: KlusterletAddonConfig 3 | metadata: 4 | name: mgmt-spoke1 5 | namespace: mgmt-spoke1 6 | spec: 7 | clusterName: mgmt-spoke1 8 | clusterNamespace: mgmt-spoke1 9 | clusterLabels: 10 | cloud: auto-detect 11 | vendor: auto-detect 12 | applicationManager: 13 | enabled: false 14 | certPolicyController: 15 | enabled: false 16 | iamPolicyController: 17 | enabled: false 18 | policyController: 19 | enabled: false 20 | searchCollector: 21 | enabled: false 22 | -------------------------------------------------------------------------------- /sample-manifests/spoke-sno/04_KlusterletAddonConfig.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: agent.open-cluster-management.io/v1 2 | kind: KlusterletAddonConfig 3 | metadata: 4 | name: mgmt-spoke1 5 | namespace: mgmt-spoke1 6 | spec: 7 | clusterName: mgmt-spoke1 8 | clusterNamespace: mgmt-spoke1 9 | clusterLabels: 10 | cloud: auto-detect 11 | vendor: auto-detect 12 | applicationManager: 13 | enabled: false 14 | certPolicyController: 15 | enabled: false 16 | iamPolicyController: 17 | enabled: false 18 | policyController: 19 | enabled: false 20 | searchCollector: 21 | enabled: false 22 | -------------------------------------------------------------------------------- /sample-manifests/automation/rhacm-argocd/gitops-templates/pre-reqs/sno-1/pull-secret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: assisted-deployment-pull-secret-sno-1 6 | namespace: sno-1 7 | stringData: 8 | .dockerconfigjson: '{"auths":{"registry.ci.openshift.org":{"auth":"dXNlcjiZ3dasdNTSFffsafzJubE80LVYngtMlRGdw=="},"registry.svc.ci.openshift.org":{"auth":"dasdaddjo3b1NwNlpYX2kyVLacctNcU9F"},"quay.io":{"auth":"b3BlbnNoaWZ0LXJlbGGMVlTNkk1NlVQUQ==","lab-installer.lab-net:5000":{"auth":"ZHVtbXk6ZHVtbXk=","email":"jhendrix@karmalabs.com"}}}' 9 | type: kubernetes.io/dockerconfigjson 10 | -------------------------------------------------------------------------------- /sample-manifests/automation/rhacm-argocd/gitops-templates/pre-reqs/sno-2/pull-secret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: assisted-deployment-pull-secret-sno-2 6 | namespace: sno-2 7 | stringData: 8 | .dockerconfigjson: '{"auths":{"registry.ci.openshift.org":{"auth":"dXNlcjiZ3dasdNTSFffsafzJubE80LVYngtMlRGdw=="},"registry.svc.ci.openshift.org":{"auth":"dasdaddjo3b1NwNlpYX2kyVLacctNcU9F"},"quay.io":{"auth":"b3BlbnNoaWZ0LXJlbGGMVlTNkk1NlVQUQ==","lab-installer.lab-net:5000":{"auth":"ZHVtbXk6ZHVtbXk=","email":"jhendrix@karmalabs.com"}}}' 9 | type: kubernetes.io/dockerconfigjson 10 | -------------------------------------------------------------------------------- /sample-manifests/automation/rhacm-alone/clusters/sno-2/06_klusterletaddonconfig.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: agent.open-cluster-management.io/v1 3 | kind: KlusterletAddonConfig 4 | metadata: 5 | name: sno-2 6 | namespace: sno-2 7 | spec: 8 | clusterName: sno-2 9 | clusterNamespace: sno-2 10 | clusterLabels: 11 | name: sno-2 12 | cloud: Baremetal 13 | vendor: HP 14 | applicationManager: 15 | enabled: true 16 | certPolicyController: 17 | enabled: false 18 | iamPolicyController: 19 | enabled: false 20 | policyController: 21 | enabled: true 22 | searchCollector: 23 | enabled: false 24 | -------------------------------------------------------------------------------- /sample-manifests/hub/01_LSO.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: operators.coreos.com/v1 3 | kind: OperatorGroup 4 | metadata: 5 | name: openshift-local-storage 6 | namespace: openshift-local-storage 7 | spec: 8 | targetNamespaces: 9 | - openshift-local-storage 10 | --- 11 | apiVersion: operators.coreos.com/v1alpha1 12 | kind: Subscription 13 | metadata: 14 | name: local-storage-operator 15 | namespace: openshift-local-storage 16 | spec: 17 | channel: "4.7" 18 | installPlanApproval: Automatic 19 | name: local-storage-operator 20 | source: custom-redhat-operator-catalog-v4-8 21 | sourceNamespace: openshift-marketplace 22 | -------------------------------------------------------------------------------- /sample-manifests/automation/rhacm-alone/clusters/sno-1/06_klusterletaddonconfig.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: agent.open-cluster-management.io/v1 3 | kind: KlusterletAddonConfig 4 | metadata: 5 | name: sno-1 6 | namespace: sno-1 7 | spec: 8 | clusterName: sno-1 9 | clusterNamespace: sno-1 10 | clusterLabels: 11 | name: sno-1 12 | cloud: Baremetal 13 | vendor: HP 14 | applicationManager: 15 | argocdCluster: false 16 | enabled: true 17 | certPolicyController: 18 | enabled: true 19 | iamPolicyController: 20 | enabled: true 21 | policyController: 22 | enabled: true 23 | searchCollector: 24 | enabled: true 25 | -------------------------------------------------------------------------------- /sample-manifests/automation/rhacm-alone/clusters/sno-1/08_infraenv.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: agent-install.openshift.io/v1beta1 3 | kind: InfraEnv 4 | metadata: 5 | name: sno-1 6 | namespace: sno-1 7 | spec: 8 | additionalNTPSources: 9 | - fd00:4888:2000:1181::20 10 | clusterRef: 11 | name: sno-1 12 | namespace: sno-1 13 | sshAuthorizedKey: 'ssh-rsa adasdlkasjdlklaskdjadoipjasdoiasj root@xxxxXXXXxxx' 14 | agentLabelSelector: 15 | matchLabels: 16 | cluster-name: sno-1 17 | pullSecretRef: 18 | name: assisted-deployment-pull-secret-sno-1 19 | nmStateConfigLabelSelector: 20 | matchLabels: 21 | acm-ai-sno: sno-1 22 | -------------------------------------------------------------------------------- /sample-manifests/automation/rhacm-alone/clusters/sno-2/08_infraenv.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: agent-install.openshift.io/v1beta1 3 | kind: InfraEnv 4 | metadata: 5 | name: sno-2 6 | namespace: sno-2 7 | spec: 8 | additionalNTPSources: 9 | - fd00:4888:2000:1181::20 10 | clusterRef: 11 | name: sno-2 12 | namespace: sno-2 13 | sshAuthorizedKey: 'ssh-rsa adasdlkasjdlklaskdjadoipjasdoiasj root@xxxxXXXXxxx' 14 | agentLabelSelector: 15 | matchLabels: 16 | cluster-name: sno-2 17 | pullSecretRef: 18 | name: assisted-deployment-pull-secret-sno-2 19 | nmStateConfigLabelSelector: 20 | matchLabels: 21 | acm-ai-sno: sno-2 22 | -------------------------------------------------------------------------------- /sample-manifests/automation/rhacm-argocd/gitops-templates/hub-prereqs/06_gitops-operator-install.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: operators.coreos.com/v1alpha1 3 | kind: Subscription 4 | metadata: 5 | name: openshift-gitops-operator 6 | namespace: openshift-operators 7 | spec: 8 | config: 9 | env: 10 | - name: ARGOCD_CLUSTER_CONFIG_NAMESPACES 11 | value: openshift-gitops, ztp-clusters 12 | channel: "stable" 13 | installPlanApproval: Automatic 14 | name: openshift-gitops-operator 15 | # Modify source name of the catalogsource for isolated network deployments 16 | source: redhat-operator-index 17 | sourceNamespace: openshift-marketplace 18 | -------------------------------------------------------------------------------- /sample-manifests/automation/rhacm-argocd/gitops-templates/site-configs/post-sync.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: batch/v1 2 | kind: Job 3 | metadata: 4 | name: siteconfig-post 5 | namespace: clusters-sub 6 | generateName: post-sync- 7 | annotations: 8 | argocd.argoproj.io/hook: PostSync 9 | argocd.argoproj.io/hook-delete-policy: BeforeHookCreation 10 | spec: 11 | template: 12 | spec: 13 | containers: 14 | - name: ztp-site-generator 15 | image: bm-cluster-1-hyper.e2e.bos.redhat.com:5000/jparrill/ztp-site-generator:latest 16 | command: ["/bin/bash", "post-sync-entrypoint.sh"] 17 | restartPolicy: Never 18 | backoffLimit: 0 19 | -------------------------------------------------------------------------------- /sample-manifests/spoke-mno/03_ClusterDeployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: hive.openshift.io/v1 2 | kind: ClusterDeployment 3 | metadata: 4 | name: mgmt-spoke1 5 | namespace: mgmt-spoke1 6 | spec: 7 | baseDomain: e2e.bos.redhat.com 8 | clusterName: mgmt-spoke1 9 | controlPlaneConfig: 10 | servingCertificates: {} 11 | clusterInstallRef: 12 | group: extensions.hive.openshift.io 13 | kind: AgentClusterInstall 14 | name: mgmt-spoke1 15 | version: v1beta1 16 | platform: 17 | agentBareMetal: 18 | agentSelector: 19 | matchLabels: 20 | cluster-name: "mgmt-spoke1" 21 | pullSecretRef: 22 | name: assisted-deployment-pull-secret 23 | -------------------------------------------------------------------------------- /sample-manifests/spoke-sno/03_ClusterDeployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: hive.openshift.io/v1 2 | kind: ClusterDeployment 3 | metadata: 4 | name: mgmt-spoke1 5 | namespace: mgmt-spoke1 6 | spec: 7 | baseDomain: e2e.bos.redhat.com 8 | clusterName: mgmt-spoke1 9 | controlPlaneConfig: 10 | servingCertificates: {} 11 | clusterInstallRef: 12 | group: extensions.hive.openshift.io 13 | kind: AgentClusterInstall 14 | name: mgmt-spoke1 15 | version: v1beta1 16 | platform: 17 | agentBareMetal: 18 | agentSelector: 19 | matchLabels: 20 | cluster-name: "mgmt-spoke1" 21 | pullSecretRef: 22 | name: assisted-deployment-pull-secret 23 | -------------------------------------------------------------------------------- /sample-manifests/automation/rhacm-alone/clusters/sno-1/05_clusterdeployment.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: hive.openshift.io/v1 3 | kind: ClusterDeployment 4 | metadata: 5 | name: sno-1 6 | namespace: sno-1 7 | spec: 8 | baseDomain: faredge.lab 9 | clusterName: sno-1 10 | controlPlaneConfig: 11 | servingCertificates: {} 12 | clusterInstallRef: 13 | group: extensions.hive.openshift.io 14 | kind: AgentClusterInstall 15 | name: sno-1 16 | version: v1beta1 17 | platform: 18 | agentBareMetal: 19 | agentSelector: 20 | matchLabels: 21 | cluster-name: "sno-1" 22 | pullSecretRef: 23 | name: assisted-deployment-pull-secret-sno-1 24 | -------------------------------------------------------------------------------- /sample-manifests/automation/rhacm-alone/clusters/sno-2/05_clusterdeployment.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: hive.openshift.io/v1 3 | kind: ClusterDeployment 4 | metadata: 5 | name: sno-2 6 | namespace: sno-2 7 | spec: 8 | baseDomain: faredge.lab 9 | clusterName: sno-2 10 | controlPlaneConfig: 11 | servingCertificates: {} 12 | clusterInstallRef: 13 | group: extensions.hive.openshift.io 14 | kind: AgentClusterInstall 15 | name: sno-2 16 | version: v1beta1 17 | platform: 18 | agentBareMetal: 19 | agentSelector: 20 | matchLabels: 21 | cluster-name: "mgmt-spoke1-sno-2" 22 | pullSecretRef: 23 | name: assisted-deployment-pull-secret-sno-2 24 | -------------------------------------------------------------------------------- /sample-manifests/automation/rhacm-argocd/gitops-templates/site-configs/pre-sync.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: batch/v1 2 | kind: Job 3 | metadata: 4 | name: siteconfig-pre 5 | namespace: clusters-sub 6 | generateName: pre-sync- 7 | annotations: 8 | argocd.argoproj.io/hook: PreSync 9 | argocd.argoproj.io/hook-delete-policy: BeforeHookCreation 10 | spec: 11 | template: 12 | spec: 13 | containers: 14 | - name: ztp-site-generator 15 | image: bm-cluster-1-hyper.e2e.bos.redhat.com:5000/jparrill/ztp-site-generator:latest 16 | command: ["/bin/bash", "pre-sync-entrypoint.sh"] 17 | restartPolicy: Never 18 | backoffLimit: 0 19 | ttlSecondsAfterFinished: 60 20 | -------------------------------------------------------------------------------- /.github/workflows/pre-commit.yml: -------------------------------------------------------------------------------- 1 | name: pre-commit 2 | 3 | on: 4 | pull_request: 5 | push: 6 | branches: [master] 7 | 8 | jobs: 9 | pre-commit: 10 | runs-on: ubuntu-latest 11 | steps: 12 | - uses: actions/checkout@v3 13 | with: 14 | fetch-depth: 0 15 | - uses: actions/setup-python@v4.3.0 16 | - uses: actions/cache@v3.0.11 17 | with: 18 | path: | 19 | ~/.cache/pre-commit 20 | key: ${{ runner.os }}-precommit-${{ hashFiles('**/.pre-commit-config.yaml/*') }} 21 | restore-keys: | 22 | ${{ runner.os }}-precommit- 23 | 24 | - uses: pre-commit/action@v2.0.3 25 | with: 26 | token: ${{ secrets.GITHUB_TOKEN }} 27 | -------------------------------------------------------------------------------- /sample-manifests/spoke-mno/06_InfraEnv.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: agent-install.openshift.io/v1beta1 3 | kind: InfraEnv 4 | metadata: 5 | name: mgmt-spoke1 6 | namespace: mgmt-spoke1 7 | spec: 8 | additionalNTPSources: 9 | - bm-cluster-1-hyper.e2e.bos.redhat.com 10 | clusterRef: 11 | name: mgmt-spoke1 12 | namespace: mgmt-spoke1 13 | sshAuthorizedKey: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCaTkerry4XgCFGjkavergaqegPtQVtK1rH38ODIXRwCQlmCbClFQCMIR6nUn6wWCv5kcC9An7c9jg5Zjwu9g/umM0hQs1HX4nFGhg6AXyuD6jjbmrugKEO1NTjG9pKB+G6OSbbwrbydyd1ZonbrhTvN1rFSrKA+nKX2bseZDZh4ikBU4CPMpEG/F1AqBMlIyk= adrogallop@bm-chuster-1-hyper.e2e.bos.redhat.com' 14 | pullSecretRef: 15 | name: assisted-deployment-pull-secret 16 | -------------------------------------------------------------------------------- /sample-manifests/spoke-sno/06_InfraEnv.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: agent-install.openshift.io/v1beta1 3 | kind: InfraEnv 4 | metadata: 5 | name: mgmt-spoke1 6 | namespace: mgmt-spoke1 7 | spec: 8 | additionalNTPSources: 9 | - bm-cluster-1-hyper.e2e.bos.redhat.com 10 | clusterRef: 11 | name: mgmt-spoke1 12 | namespace: mgmt-spoke1 13 | sshAuthorizedKey: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCaTkerry4XgCFGjkavergaqegPtQVtK1rH38ODIXRwCQlmCbClFQCMIR6nUn6wWCv5kcC9An7c9jg5Zjwu9g/umM0hQs1HX4nFGhg6AXyuD6jjbmrugKEO1NTjG9pKB+G6OSbbwrbydyd1ZonbrhTvN1rFSrKA+nKX2bseZDZh4ikBU4CPMpEG/F1AqBMlIyk= adrogallop@bm-chuster-1-hyper.e2e.bos.redhat.com' 14 | pullSecretRef: 15 | name: assisted-deployment-pull-secret 16 | -------------------------------------------------------------------------------- /sample-manifests/automation/rhacm-argocd/gitops-templates/site-policies/pre-sync.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: batch/v1 2 | kind: Job 3 | metadata: 4 | name: policygentemplates-pre 5 | namespace: policies-sub 6 | generateName: pre-sync- 7 | annotations: 8 | argocd.argoproj.io/hook: PreSync 9 | argocd.argoproj.io/hook-delete-policy: BeforeHookCreation 10 | spec: 11 | template: 12 | spec: 13 | containers: 14 | - name: ztp-site-generator 15 | image: bm-cluster-1-hyper.e2e.bos.redhat.com:5000/jparrill/ztp-site-generator:latest 16 | command: ["/bin/bash", "pre-sync-entrypoint.sh", "policygentemplates"] 17 | restartPolicy: Never 18 | backoffLimit: 0 19 | ttlSecondsAfterFinished: 60 20 | -------------------------------------------------------------------------------- /sample-manifests/automation/rhacm-argocd/gitops-templates/site-policies/post-sync.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: batch/v1 2 | kind: Job 3 | metadata: 4 | name: policygentemplates-post 5 | namespace: policies-sub 6 | generateName: post-sync- 7 | annotations: 8 | argocd.argoproj.io/hook: PostSync 9 | argocd.argoproj.io/hook-delete-policy: BeforeHookCreation 10 | spec: 11 | template: 12 | spec: 13 | containers: 14 | - name: ztp-site-generator 15 | image: bm-cluster-1-hyper.e2e.bos.redhat.com:5000/jparrill/ztp-site-generator:latest 16 | command: ["/bin/bash", "post-sync-entrypoint.sh", "policygentemplates"] 17 | restartPolicy: Never 18 | backoffLimit: 0 19 | # ttlSecondsAfterFinished: 60 20 | -------------------------------------------------------------------------------- /tools/registry-start.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | host_fqdn=$(hostname --long) 4 | path=$(pwd)/registry 5 | 6 | podman create \ 7 | --name ocpdiscon-registry \ 8 | -p 5000:5000 \ 9 | -e "REGISTRY_AUTH=htpasswd" \ 10 | -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry" \ 11 | -e "REGISTRY_HTTP_SECRET=ALongRandomSecretForRegistry" \ 12 | -e "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd" \ 13 | -e "REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt" \ 14 | -e "REGISTRY_HTTP_TLS_KEY=/certs/domain.key" \ 15 | -e "REGISTRY_COMPATIBILITY_SCHEMA1_ENABLED=true" \ 16 | -v ${path}/data:/var/lib/registry:z \ 17 | -v ${path}/auth:/auth:z \ 18 | -v ${path}/certs:/certs:z \ 19 | -v ${path}/conf/config.yml:/etc/docker/registry/config.yml:z \ 20 | docker.io/library/registry:2 21 | 22 | podman start ocpdiscon-registry 23 | -------------------------------------------------------------------------------- /.github/dependabot.yml: -------------------------------------------------------------------------------- 1 | # To get started with Dependabot version updates, you'll need to specify which 2 | # package ecosystems to update and where the package manifests are located. 3 | # Please see the documentation for all configuration options: 4 | # https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates 5 | 6 | version: 2 7 | updates: 8 | - package-ecosystem: "pip" # See documentation for possible values 9 | directory: "/" # Location of package manifests 10 | schedule: 11 | interval: "daily" 12 | 13 | # Maintain dependencies for GitHub Actions 14 | - package-ecosystem: "github-actions" 15 | directory: "/" 16 | schedule: 17 | interval: "daily" 18 | commit-message: 19 | prefix: build 20 | prefix-development: chore 21 | include: scope 22 | -------------------------------------------------------------------------------- /sample-manifests/automation/rhacm-argocd/gitops-templates/generate-localy.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | #img=quay.io/redhat_emp1/ztp-site-generator:latest 4 | img=quay.io/jparrill/ztp-site-generator:latest 5 | 6 | src_dir=${1:-generated} 7 | 8 | run_policyGen() { 9 | src=$(readlink -f ${1:-no_source_given}) 10 | dst=$(readlink -f ${2:-no_dest_given}) 11 | podman pull $img 12 | podman run -it --user=$(id -u):$(id -g) \ 13 | --userns=keep-id \ 14 | -v $src:/mnt/templates:Z \ 15 | -v $dst:/mnt/out:Z \ 16 | $img \ 17 | /usr/src/hook/ztp/ztp-policy-generator/kustomize/plugin/policyGenerator/v1/policygenerator/PolicyGenerator \ 18 | "" \ 19 | /mnt/templates/ \ 20 | /usr/src/hook/ztp/source-crs/ \ 21 | /mnt/out/ \ 22 | false 23 | } 24 | 25 | echo "Generating policy wrapped" 26 | mkdir -p out 27 | 28 | run_policyGen ./${src_dir} ./out 29 | -------------------------------------------------------------------------------- /sample-manifests/automation/rhacm-alone/clusters/sno-1/04_agentcluster.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: extensions.hive.openshift.io/v1beta1 3 | kind: AgentClusterInstall 4 | metadata: 5 | name: sno-1 6 | namespace: sno-1 7 | spec: 8 | # TODO: Review Workload partitioning before uncomment this next 2 lines 9 | manifestsConfigMapRef: 10 | name: workload-partitioning-install-manifests-mgmt-spoke1-sno-1 11 | clusterDeploymentRef: 12 | name: sno-1 13 | imageSetRef: 14 | name: openshift-v4.8.0 15 | networking: 16 | clusterNetwork: 17 | - cidr: "fd01::/48" 18 | hostPrefix: 64 19 | serviceNetwork: 20 | - "fd02::/112" 21 | machineNetwork: 22 | - cidr: "fd00:4888:2000:1182::/64" 23 | provisionRequirements: 24 | controlPlaneAgents: 1 25 | sshPublicKey: 'ssh-rsa adasdlkasjdlklaskdjadoipjasdoiasj root@xxxxXXXXxxx' 26 | -------------------------------------------------------------------------------- /sample-manifests/spoke-sno/02_AgentClusterInstall.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: extensions.hive.openshift.io/v1beta1 3 | kind: AgentClusterInstall 4 | metadata: 5 | name: mgmt-spoke1 6 | namespace: mgmt-spoke1 7 | spec: 8 | clusterDeploymentRef: 9 | name: mgmt-spoke1 10 | imageSetRef: 11 | name: openshift-v4.8.0 12 | networking: 13 | clusterNetwork: 14 | - cidr: "fd01::/48" 15 | hostPrefix: 64 16 | serviceNetwork: 17 | - "fd02::/112" 18 | machineNetwork: 19 | - cidr: "2620:52:0:1303::/64" 20 | provisionRequirements: 21 | controlPlaneAgents: 1 22 | sshPublicKey: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCaTkerry4XgCFGjkavergaqegPtQVtK1rH38ODIXRwCQlmCbClFQCMIR6nUn6wWCv5kcC9An7c9jg5Zjwu9g/umM0hQs1HX4nFGhg6AXyuD6jjbmrugKEO1NTjG9pKB+G6OSbbwrbydyd1ZonbrhTvN1rFSrKA+nKX2bseZDZh4ikBU4CPMpEG/F1AqBMlIyk= adrogallop@bm-chuster-1-hyper.e2e.bos.redhat.com' 23 | -------------------------------------------------------------------------------- /sample-manifests/automation/rhacm-alone/acm-prereqs/04_assisted-service.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: agent-install.openshift.io/v1beta1 3 | kind: AgentServiceConfig 4 | metadata: 5 | namespace: open-cluster-management 6 | name: agent 7 | spec: 8 | databaseStorage: 9 | accessModes: 10 | - ReadWriteOnce 11 | resources: 12 | requests: 13 | storage: 100Gi 14 | filesystemStorage: 15 | accessModes: 16 | - ReadWriteOnce 17 | resources: 18 | requests: 19 | storage: 100Gi 20 | mirrorRegistryRef: 21 | name: 'bastion1-mirror-config' 22 | osImages: 23 | - openshiftVersion: "4.8" 24 | version: "4.8" 25 | url: "http://bm-cluster-1-hyper.e2e.bos.redhat.com/4.8.2-x86_64/rhcos-48.84.202106091622-0-live.x86_64.iso" 26 | rootFSUrl: "http://bm-cluster-1-hyper.e2e.bos.redhat.com/4.8.2-x86_64/rhcos-48.84.202106091622-0-live-rootfs.x86_64.img" 27 | -------------------------------------------------------------------------------- /sample-manifests/spoke-mno/02_AgentClusterInstall.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: extensions.hive.openshift.io/v1beta1 3 | kind: AgentClusterInstall 4 | metadata: 5 | name: mgmt-spoke1 6 | namespace: mgmt-spoke1 7 | spec: 8 | clusterDeploymentRef: 9 | name: mgmt-spoke1 10 | imageSetRef: 11 | name: openshift-v4.8.0 12 | apiVIP: "2620:52:0:1303::3" 13 | ingressVIP: "2620:52:0:1303::2" 14 | networking: 15 | clusterNetwork: 16 | - cidr: "fd01::/48" 17 | hostPrefix: 64 18 | serviceNetwork: 19 | - "fd02::/112" 20 | provisionRequirements: 21 | controlPlaneAgents: 3 22 | sshPublicKey: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCaTkerry4XgCFGjkavergaqegPtQVtK1rH38ODIXRwCQlmCbClFQCMIR6nUn6wWCv5kcC9An7c9jg5Zjwu9g/umM0hQs1HX4nFGhg6AXyuD6jjbmrugKEO1NTjG9pKB+G6OSbbwrbydyd1ZonbrhTvN1rFSrKA+nKX2bseZDZh4ikBU4CPMpEG/F1AqBMlIyk= adrogallop@bm-chuster-1-hyper.e2e.bos.redhat.com' 23 | -------------------------------------------------------------------------------- /sample-manifests/automation/rhacm-argocd/gitops-templates/hub-prereqs/04_assisted-service.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: agent-install.openshift.io/v1beta1 3 | kind: AgentServiceConfig 4 | metadata: 5 | namespace: open-cluster-management 6 | name: agent 7 | spec: 8 | databaseStorage: 9 | accessModes: 10 | - ReadWriteOnce 11 | resources: 12 | requests: 13 | storage: 100Gi 14 | filesystemStorage: 15 | accessModes: 16 | - ReadWriteOnce 17 | resources: 18 | requests: 19 | storage: 100Gi 20 | mirrorRegistryRef: 21 | name: 'bastion1-mirror-config' 22 | osImages: 23 | - openshiftVersion: "4.8" 24 | version: "4.8" 25 | url: "http://bm-cluster-1-hyper.e2e.bos.redhat.com/4.7.13-x86_64/rhcos-4.7.13-x86_64-live.x86_64.iso" 26 | rootFSUrl: "http://bm-cluster-1-hyper.e2e.bos.redhat.com/4.7.13-x86_64/rhcos-4.7.13-x86_64-live-rootfs.x86_64.img" 27 | -------------------------------------------------------------------------------- /.github/workflows/stale.yml: -------------------------------------------------------------------------------- 1 | name: "Close stale issues" 2 | on: 3 | schedule: 4 | - cron: "0 0 * * *" 5 | 6 | jobs: 7 | stale: 8 | runs-on: ubuntu-latest 9 | steps: 10 | - uses: actions/stale@v6.0.1 11 | with: 12 | repo-token: ${{ secrets.GITHUB_TOKEN }} 13 | stale-issue-message: 'This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days' 14 | days-before-stale: 60 15 | days-before-close: 7 16 | stale-pr-message: 'This PR is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days' 17 | stale-issue-label: 'no-issue-activity' 18 | exempt-issue-labels: 'awaiting-approval,work-in-progress' 19 | stale-pr-label: 'no-pr-activity' 20 | exempt-pr-labels: 'awaiting-approval,work-in-progress' 21 | -------------------------------------------------------------------------------- /sample-manifests/spoke-sno/create_spoke_sno.sh: -------------------------------------------------------------------------------- 1 | export CLUSTER_NAME=mgmt-spoke1 2 | 3 | oc create ns ${CLUSTER_NAME} 4 | oc project ${CLUSTER_NAME} 5 | oc patch hiveconfig hive --type merge -p '{"spec":{"targetNamespace":"hive","logLevel":"debug","featureGates":{"custom":{"enabled":["AlphaAgentInstallStrategy"]},"featureSet":"Custom"}}}' 6 | sleep 30 7 | oc create -f 01_AI-pull-secret.yaml -f 02_AgentClusterInstall.yaml -f 03_ClusterDeployment.yaml -f 04_KlusterletAddonConfig.yaml -f 05_ManagedCluster.yaml 8 | sleep 5 9 | oc create -f 06_InfraEnv.yaml 10 | 11 | for i in {1..10}; do 12 | sleep 5 13 | ISO_URL=$(oc get infraenv ${CLUSTER_NAME} -o jsonpath='{.status.isoDownloadURL}') 14 | if [[ ! -z ${ISO_URL} ]]; then 15 | oc create -f 07_BMH-sno.yaml 16 | echo "Done" 17 | break 18 | elif [[ -z ${ISO_URL} ]] && [[ ${i} -gt 10 ]]; then 19 | echo "ERROR: No InfraEnv URL field on the K8s object" 20 | exit 1 21 | fi 22 | done 23 | -------------------------------------------------------------------------------- /sample-manifests/automation/rhacm-alone/clusters/sno-1/03_nmstate.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: agent-install.openshift.io/v1beta1 2 | kind: NMStateConfig 3 | metadata: 4 | name: sno-1 5 | namespace: sno-1 6 | labels: 7 | acm-ai-sno: sno-1 8 | spec: 9 | config: 10 | interfaces: 11 | - name: ens1f0.304 12 | type: vlan 13 | state: up 14 | vlan: 15 | base-iface: ens1f0 16 | id: 304 17 | 'ipv6': 18 | enabled: true 19 | address: 20 | - ip: fd00:4888:2000:1182::100 21 | prefix-length: 64 22 | dhcp: false 23 | dns-resolver: 24 | config: 25 | server: 26 | - fd00:4888:2000:1181::20 27 | routes: 28 | config: 29 | - destination: '::/0' 30 | next-hop-address: 'fd00:4888:2000:1182::' 31 | next-hop-interface: ens1f0.304 32 | interfaces: 33 | - name: "ens1f0" 34 | macAddress: b4:86:11:c3:bb:94 35 | -------------------------------------------------------------------------------- /sample-manifests/automation/rhacm-alone/clusters/sno-2/03_nmstate.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: agent-install.openshift.io/v1beta1 2 | kind: NMStateConfig 3 | metadata: 4 | name: sno-2 5 | namespace: sno-2 6 | labels: 7 | acm-ai-sno: sno-2 8 | spec: 9 | config: 10 | interfaces: 11 | - name: ens1f0.304 12 | type: vlan 13 | state: up 14 | vlan: 15 | base-iface: ens1f0 16 | id: 304 17 | 'ipv6': 18 | enabled: true 19 | address: 20 | - ip: fd00:4888:2000:1183::200 21 | prefix-length: 64 22 | dhcp: false 23 | dns-resolver: 24 | config: 25 | server: 26 | - fd00:4888:2000:1181::20 27 | routes: 28 | config: 29 | - destination: '::/0' 30 | next-hop-address: 'fd00:4888:2000:1183::' 31 | next-hop-interface: ens1f0.304 32 | interfaces: 33 | - name: "ens1f0" 34 | macAddress: b4:86:11:c3:bb:34 35 | -------------------------------------------------------------------------------- /tools/mirror-ocp-release.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ## Variables 4 | export PULL_SECRET_JSON=$(pwd)/pull_secret.json 5 | export LOCAL_REGISTRY=$(hostname):5000 6 | export LOCAL_REPOSITORY=ocp4 7 | export OCP_RELEASE=4.8.11-x86_64 8 | export OCP_REGISTRY=quay.io/openshift-release-dev/ocp-release 9 | 10 | ## Functional 11 | function ocp_mirror_release() { 12 | oc adm -a ${PULL_SECRET_JSON} release mirror \ 13 | --from=${OCP_REGISTRY}:${OCP_RELEASE} \ 14 | --to=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY} \ 15 | --to-release-image=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE} 16 | } 17 | 18 | function download_oc_client() { 19 | oc adm --registry-config ${PULL_SECRET_JSON} release extract \ 20 | --command=oc \ 21 | --from=${OCP_REGISTRY}:${OCP_RELEASE} \ 22 | --to . 23 | 24 | if [[ ! -f oc ]]; then 25 | echo "OC Client wasn't extracted, exiting..." 26 | exit 1 27 | fi 28 | 29 | mv oc /home/kni/bin/oc 30 | } 31 | 32 | download_oc_client 33 | ocp_mirror_release 34 | -------------------------------------------------------------------------------- /sample-manifests/hub/08_AI-Operand.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: agent-install.openshift.io/v1beta1 3 | kind: AgentServiceConfig 4 | metadata: 5 | name: agent 6 | namespace: open-cluster-management 7 | #annotations: 8 | # unsupported.agent-install.openshift.io/assisted-service-configmap: 'assisted-service-config' 9 | spec: 10 | databaseStorage: 11 | accessModes: 12 | - ReadWriteOnce 13 | resources: 14 | requests: 15 | storage: 40Gi 16 | filesystemStorage: 17 | accessModes: 18 | - ReadWriteOnce 19 | resources: 20 | requests: 21 | storage: 40Gi 22 | mirrorRegistryRef: 23 | name: 'hyper1-mirror-config' 24 | osImages: 25 | - openshiftVersion: "4.8" 26 | version: "" 27 | url: "http://[2620:52:0:1303::1]/4.8.0-rc.1-x86_64/rhcos-48.84.202106091622-0-live.x86_64.iso" 28 | rootFSUrl: "http://[2620:52:0:1303::1]/4.8.0-rc.1-x86_64/rhcos-48.84.202106091622-0-live-rootfs.x86_64.img" 29 | cpuArchitecture: x86_64 30 | -------------------------------------------------------------------------------- /sample-manifests/automation/rhacm-alone/acm/00_acm-demo.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: app.k8s.io/v1beta1 2 | kind: Application 3 | metadata: 4 | name: acm-demo 5 | namespace: ztp-clusters 6 | spec: 7 | componentKinds: 8 | - group: apps.open-cluster-management.io 9 | kind: Subscription 10 | descriptor: {} 11 | selector: 12 | matchExpressions: 13 | - key: app 14 | operator: In 15 | values: 16 | - acm-demo 17 | --- 18 | apiVersion: apps.open-cluster-management.io/v1 19 | kind: Subscription 20 | metadata: 21 | annotations: 22 | apps.open-cluster-management.io/git-branch: main 23 | apps.open-cluster-management.io/git-path: acm 24 | apps.open-cluster-management.io/reconcile-option: merge 25 | labels: 26 | app: acm-demo 27 | name: acm-demo-subscription-1 28 | namespace: ztp-clusters 29 | spec: 30 | channel: ztp-clusters/ztp-repository 31 | placement: 32 | placementRef: 33 | kind: PlacementRule 34 | name: local-cluster-placement 35 | -------------------------------------------------------------------------------- /sample-manifests/spoke-mno/create_spoke.sh: -------------------------------------------------------------------------------- 1 | export CLUSTER_NAME=mgmt-spoke1 2 | 3 | oc create ns ${CLUSTER_NAME} 4 | oc project ${CLUSTER_NAME} 5 | oc patch hiveconfig hive --type merge -p '{"spec":{"targetNamespace":"hive","logLevel":"debug","featureGates":{"custom":{"enabled":["AlphaAgentInstallStrategy"]},"featureSet":"Custom"}}}' 6 | sleep 30 7 | oc create -f 01_AI-pull-secret.yaml -f 02_AgentClusterInstall.yaml -f 03_ClusterDeployment.yaml -f 04_KlusterletAddonConfig.yaml -f 05_ManagedCluster.yaml 8 | sleep 5 9 | oc create -f 06_InfraEnv.yaml 10 | 11 | for i in {1..10}; do 12 | sleep 5 13 | ISO_URL=$(oc get infraenv ${CLUSTER_NAME} -o jsonpath='{.status.isoDownloadURL}') 14 | if [[ ! -z ${ISO_URL} ]]; then 15 | break 16 | oc create -f 07_BMH-spoke1-master0.yaml -f 07_BMH-spoke1-master1.yaml -f 07_BMH-spoke1-master2.yaml 17 | echo "Done" 18 | elif [[ -z ${ISO_URL} ]] && [[ ${i} -ge 10 ]]; then 19 | echo "ERROR: No InfraEnv URL field on the K8s object" 20 | exit 1 21 | fi 22 | done 23 | -------------------------------------------------------------------------------- /tools/cert-maker.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ## Variables to fill 4 | host_fqdn=$(hostname --long) 5 | path=$(pwd)/registry 6 | cert_c="ES" # Country Name (C, 2 letter code) 7 | cert_s="Spain" # Certificate State (S) 8 | cert_l="Madrid" # Certificate Locality (L) 9 | cert_o="adrogallop SL" # Certificate Organization (O) 10 | cert_ou="infra" # Certificate Organizational Unit (OU) 11 | cert_cn="${host_fqdn}" # Certificate Common Name (CN) 12 | 13 | ## Functional part of the script 14 | mkdir -p ${path}/{auth,certs,data} 15 | 16 | openssl req \ 17 | -newkey rsa:4096 \ 18 | -nodes \ 19 | -sha256 \ 20 | -keyout ${path}/certs/domain.key \ 21 | -x509 \ 22 | -days 3650 \ 23 | -out ${path}/certs/domain.crt \ 24 | -addext "subjectAltName = DNS:${host_fqdn}" \ 25 | -subj "/C=${cert_c}/ST=${cert_s}/L=${cert_l}/O=${cert_o}/OU=${cert_ou}/CN=${cert_cn}" 26 | 27 | sudo cp ${path}/certs/domain.crt /etc/pki/ca-trust/source/anchors/ 28 | sudo update-ca-trust extract 29 | htpasswd -bBc ${path}/auth/htpasswd dummy dummy 30 | -------------------------------------------------------------------------------- /sample-manifests/automation/rhacm-alone/clusters/sno-1/09_bmh.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: sno-1-master0 6 | namespace: sno-1 7 | data: 8 | username: YWRtaW4= 9 | password: YWRyb2dhbGxvcA== 10 | type: Opaque 11 | --- 12 | apiVersion: metal3.io/v1alpha1 13 | kind: BareMetalHost 14 | metadata: 15 | name: sno-1-master0 16 | namespace: sno-1 17 | labels: 18 | infraenvs.agent-install.openshift.io: "sno-1" 19 | annotations: 20 | ## Set Static rHhostname 21 | bmac.agent-install.openshift.io/hostname: "master-0.sno-1.faredge.lab" 22 | ## Set Static Role 23 | bmac.agent-install.openshift.io/role: "master" 24 | spec: 25 | online: true 26 | bootMACAddress: b4:86:11:c3:bb:94 27 | automatedCleaningMode: disabled 28 | bootMode: UEFI 29 | bmc: 30 | address: redfish-virtualmedia://[fd00:4888:2000:1185::25]/redfish/v1/Systems/1 31 | credentialsName: sno-1-master0 32 | disableCertificateVerification: true 33 | rootDeviceHints: 34 | deviceName: "/dev/nvme0n1" 35 | -------------------------------------------------------------------------------- /sample-manifests/automation/rhacm-alone/clusters/sno-2/09_bmh.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: sno-2-master0 6 | namespace: sno-2 7 | data: 8 | username: YWRtaW4= 9 | password: YWRyb2dhbGxvcA== 10 | type: Opaque 11 | --- 12 | apiVersion: metal3.io/v1alpha1 13 | kind: BareMetalHost 14 | metadata: 15 | name: sno-2-master0 16 | namespace: sno-2 17 | labels: 18 | infraenvs.agent-install.openshift.io: "sno-2" 19 | annotations: 20 | ## Set Static hostname 21 | bmac.agent-install.openshift.io/hostname: "master-0.sno-2.faredge.lab" 22 | ## Set Static Role 23 | bmac.agent-install.openshift.io/role: "master" 24 | spec: 25 | online: true 26 | bootMACAddress: b4:86:11:c3:bb:34 27 | automatedCleaningMode: disabled 28 | bootMode: UEFI 29 | bmc: 30 | address: redfish-virtualmedia://[fd00:4888:2000:1185::26]/redfish/v1/Systems/1 31 | credentialsName: sno-2-master0 32 | disableCertificateVerification: true 33 | rootDeviceHints: 34 | deviceName: "/dev/nvme0n1" 35 | -------------------------------------------------------------------------------- /sample-manifests/spoke-sno/07_BMH-sno.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: ipv6-spoke1-master0 6 | namespace: mgmt-spoke1 7 | data: 8 | username: YWRtaW4= 9 | password: YWRyb2dhbGxvcA== 10 | type: Opaque 11 | --- 12 | apiVersion: metal3.io/v1alpha1 13 | kind: BareMetalHost 14 | metadata: 15 | name: ipv6-spoke1-master0 16 | namespace: mgmt-spoke1 17 | labels: 18 | infraenvs.agent-install.openshift.io: "mgmt-spoke1" 19 | annotations: 20 | ## Disable the Introspection 21 | inspect.metal3.io: disabled 22 | ## Set Static Hostname 23 | bmac.agent-install.openshift.io/hostname: "ipv6-spoke1-master0" 24 | ## Set Static Role 25 | bmac.agent-install.openshift.io/role: "master" 26 | spec: 27 | online: true 28 | bootMACAddress: A0:36:9F:6C:0A:39 29 | automatedCleaningMode: disabled 30 | bmc: 31 | address: idrac-virtualmedia+https://[2620:52:0:1300::34]/redfish/v1/Systems/System.Embedded.1 32 | credentialsName: ipv6-spoke1-master0 33 | disableCertificateVerification: true 34 | rootDeviceHints: 35 | deviceName: "/dev/sda" 36 | -------------------------------------------------------------------------------- /sample-manifests/spoke-mno/07_BMH-spoke1-master0.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: ipv6-spoke1-master0 6 | namespace: mgmt-spoke1 7 | data: 8 | username: YWRtaW4= 9 | password: YWRyb2dhbGxvcA== 10 | type: Opaque 11 | --- 12 | apiVersion: metal3.io/v1alpha1 13 | kind: BareMetalHost 14 | metadata: 15 | name: ipv6-spoke1-master0 16 | namespace: mgmt-spoke1 17 | labels: 18 | infraenvs.agent-install.openshift.io: "mgmt-spoke1" 19 | annotations: 20 | ## Disable the Introspection 21 | inspect.metal3.io: disabled 22 | ## Set Static Hostname 23 | bmac.agent-install.openshift.io/hostname: "ipv6-spoke1-master0" 24 | ## Set Static Role 25 | bmac.agent-install.openshift.io/role: "master" 26 | spec: 27 | online: true 28 | bootMACAddress: A0:36:9F:6C:0A:39 29 | automatedCleaningMode: disabled 30 | bmc: 31 | address: idrac-virtualmedia+https://[2620:52:0:1300::34]/redfish/v1/Systems/System.Embedded.1 32 | credentialsName: ipv6-spoke1-master0 33 | disableCertificateVerification: true 34 | rootDeviceHints: 35 | deviceName: "/dev/sda" 36 | -------------------------------------------------------------------------------- /sample-manifests/spoke-mno/07_BMH-spoke1-master1.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: ipv6-spoke1-master1 6 | namespace: mgmt-spoke1 7 | data: 8 | username: YWRtaW4= 9 | password: YWRyb2dhbGxvcA== 10 | type: Opaque 11 | --- 12 | apiVersion: metal3.io/v1alpha1 13 | kind: BareMetalHost 14 | metadata: 15 | name: ipv6-spoke1-master1 16 | namespace: mgmt-spoke1 17 | labels: 18 | infraenvs.agent-install.openshift.io: "mgmt-spoke1" 19 | annotations: 20 | ## Disable the Introspection 21 | inspect.metal3.io: disabled 22 | ## Set Static Hostname 23 | bmac.agent-install.openshift.io/hostname: "ipv6-spoke1-master1" 24 | ## Set Static Role 25 | bmac.agent-install.openshift.io/role: "master" 26 | spec: 27 | online: true 28 | bootMACAddress: A0:36:9F:6C:0C:11 29 | automatedCleaningMode: disabled 30 | bmc: 31 | address: idrac-virtualmedia+https://[2620:52:0:1300::35]/redfish/v1/Systems/System.Embedded.1 32 | credentialsName: ipv6-spoke1-master1 33 | disableCertificateVerification: true 34 | rootDeviceHints: 35 | deviceName: "/dev/sda" 36 | -------------------------------------------------------------------------------- /sample-manifests/spoke-mno/07_BMH-spoke1-master2.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: ipv6-spoke1-master2 6 | namespace: mgmt-spoke1 7 | data: 8 | username: YWRtaW4= 9 | password: YWRyb2dhbGxvcA== 10 | type: Opaque 11 | --- 12 | apiVersion: metal3.io/v1alpha1 13 | kind: BareMetalHost 14 | metadata: 15 | name: ipv6-spoke1-master2 16 | namespace: mgmt-spoke1 17 | labels: 18 | infraenvs.agent-install.openshift.io: "mgmt-spoke1" 19 | annotations: 20 | ## Disable the Introspection 21 | inspect.metal3.io: disabled 22 | ## Set Static Hostname 23 | bmac.agent-install.openshift.io/hostname: "ipv6-spoke1-master2" 24 | ## Set Static Role 25 | bmac.agent-install.openshift.io/role: "master" 26 | spec: 27 | online: true 28 | bootMACAddress: A0:36:9F:6C:0D:C1 29 | automatedCleaningMode: disabled 30 | bmc: 31 | address: idrac-virtualmedia+https://[2620:52:0:1300::36]/redfish/v1/Systems/System.Embedded.1 32 | credentialsName: ipv6-spoke1-master2 33 | disableCertificateVerification: true 34 | rootDeviceHints: 35 | deviceName: "/dev/sda" 36 | -------------------------------------------------------------------------------- /sample-manifests/automation/rhacm-alone/clusters/sno-2/04_agentcluster.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: extensions.hive.openshift.io/v1beta1 3 | kind: AgentClusterInstall 4 | metadata: 5 | name: sno-2 6 | namespace: sno-2 7 | spec: 8 | clusterDeploymentRef: 9 | name: sno-2 10 | imageSetRef: 11 | name: openshift-v4.8.0 12 | networking: 13 | clusterNetwork: 14 | - cidr: "fd01::/48" 15 | hostPrefix: 64 16 | serviceNetwork: 17 | - "fd02::/112" 18 | machineNetwork: 19 | - cidr: "fd00:4888:2000:1183::/64" 20 | provisionRequirements: 21 | controlPlaneAgents: 1 22 | sshPublicKey: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC26dCKccwEuxyYmStKzvRrWOjrBvpRbseiixKWAUJ/ZPulXjIR6oGZZNd7h/w6Rg0ETakgvSQRJjoMfsf49EXUawxAwKcnDmMXBytkLnsawAk+1raaKjrM27a46fEjFlcNDjuNMwgvE9PHTX3yUfEXqenJIhwHdod1w2GNE2jsKyZmqOF8Fey1Y/YIl/zK7STCSZn0+nc2iQx08NYsx/s/aaMgzr9Zggoq/9dD1BMljswFcu8YHhzVyLWu5TY0m4PbzMJ8QjPxkfWXz3hYQMbCS20gdymskgoMGluDBYsqiZDBd933ff9K+yPwNdov7ZSoXuGKwWfSHPXfIm+L3dN2lNblz3gr2ncDcflNxpGiGbUwHEai/k5fxf8SiL6HydCSfsdtHB9hyxu14CNI5f+3QyRcO4q50251r2bPWzKiO7tpqXXStGSINc5SWZcp/ohb4eVvpRUwjWc2Uhezo/igkoc+rNmxpJG6VEo0BlOBE3p5ByN/II32M/VG/ReNBXE= root@bastion1.hqplan.lan' 23 | -------------------------------------------------------------------------------- /docs/automation-massive-deployments-ztp.md: -------------------------------------------------------------------------------- 1 | # Automation and Massive deployments with ZTP 2 | 3 | This topic it's a bit complicated, we have a base already working which is purely based on RHACM and Assisted Installer, this second one is covered by the first part of the documentation on the Connected and Disconnected flows, now it's time to focus on some automations for Day2 tasks (After the SNO deployment). 4 | 5 | For that we can follow 2 approaches, here you gonna decide which path is the best for you: 6 | 7 | - I will deploy less than ~250 SNO clusters. 8 | - I will deploy more than ~250 SNO clusters. 9 | 10 | RHACM has a inner capability which generated an object called "deployable" to monitor the things it manages, for example, think on an application + subscription generated by RHACM, all the objects created by both ones will generate a deployable multiplied by the number of existent clusters managed by RHACM where the App + Sub is acting. That means if this application has inside 30 objects, you will multiply 30 \* number of SNOs, and these are the number of objects only generated for this app. This is massive load for ETCD to only manage 1 application, so you have an alternative which is using RHACM + ArgoCD + PolicyGenerator. 11 | 12 | We will dive a bit more on both methods in the next steps. 13 | 14 | - [Automation only using RHACM](automation/rhacm-automation.md) 15 | - [Automation using RHACM and ArgoCD](automation/rhacm-argocd-automation.md) 16 | -------------------------------------------------------------------------------- /sample-manifests/automation/rhacm-alone/clusters/sno-2/02_workload_partitioning.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | kind: ConfigMap 3 | apiVersion: v1 4 | metadata: 5 | name: workload-partitioning-install-manifests-sno-2 6 | namespace: sno-2 7 | data: 8 | 99_workload_partitioning.yaml: | 9 | apiVersion: machineconfiguration.openshift.io/v1 10 | kind: MachineConfig 11 | metadata: 12 | labels: 13 | machineconfiguration.openshift.io/role: master 14 | name: 02-master-workload-partitioning 15 | spec: 16 | config: 17 | ignition: 18 | version: 3.2.0 19 | storage: 20 | files: 21 | - contents: 22 | source: data:text/plain;charset=utf-8;base64,W2NyaW8ucnVudGltZS53b3JrbG9hZHMubWFuYWdlbWVudF0KYWN0aXZhdGlvbl9hbm5vdGF0aW9uID0gInRhcmdldC53b3JrbG9hZC5vcGVuc2hpZnQuaW8vbWFuYWdlbWVudCIKYW5ub3RhdGlvbl9wcmVmaXggPSAicmVzb3VyY2VzLndvcmtsb2FkLm9wZW5zaGlmdC5pbyIKcmVzb3VyY2VzID0geyAiY3B1c2hhcmVzIiA9IDAsICJjcHVzZXQiID0gIjAtMiwzMi0zNCIgfQo= 23 | mode: 420 24 | overwrite: true 25 | path: /etc/crio/crio.conf.d/01-workload-partitioning 26 | user: 27 | name: root 28 | - contents: 29 | source: data:text/plain;charset=utf-8;base64,ewogICJtYW5hZ2VtZW50IjogewogICAgImNwdXNldCI6ICIwLTIsMzItMzQiCiAgfQp9Cg== 30 | mode: 420 31 | overwrite: true 32 | path: /etc/kubernetes/openshift-workload-pinning 33 | user: 34 | name: root 35 | -------------------------------------------------------------------------------- /sample-manifests/automation/rhacm-alone/clusters/sno-1/02_workload_partitioning.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # TODO: Need to review the Workload partitioning 3 | kind: ConfigMap 4 | apiVersion: v1 5 | metadata: 6 | name: workload-partitioning-install-manifests-sno-1 7 | namespace: mgmt-spoke1-sno-1 8 | data: 9 | 99_workload_partitioning.yaml: | 10 | apiVersion: machineconfiguration.openshift.io/v1 11 | kind: MachineConfig 12 | metadata: 13 | labels: 14 | machineconfiguration.openshift.io/role: master 15 | name: 02-master-workload-partitioning 16 | spec: 17 | config: 18 | ignition: 19 | version: 3.2.0 20 | storage: 21 | files: 22 | - contents: 23 | source: data:text/plain;charset=utf-8;base64,W2NyaW8ucnVudGltZS53b3JrbG9hZHMubWFuYWdlbWVudF0KYWN0aXZhdGlvbl9hbm5vdGF0aW9uID0gInRhcmdldC53b3JrbG9hZC5vcGVuc2hpZnQuaW8vbWFuYWdlbWVudCIKYW5ub3RhdGlvbl9wcmVmaXggPSAicmVzb3VyY2VzLndvcmtsb2FkLm9wZW5zaGlmdC5pbyIKcmVzb3VyY2VzID0geyAiY3B1c2hhcmVzIiA9IDAsICJjcHVzZXQiID0gIjAtMiwzMi0zNCIgfQo= 24 | mode: 420 25 | overwrite: true 26 | path: /etc/crio/crio.conf.d/01-workload-partitioning 27 | user: 28 | name: root 29 | - contents: 30 | source: data:text/plain;charset=utf-8;base64,ewogICJtYW5hZ2VtZW50IjogewogICAgImNwdXNldCI6ICIwLTIsMzItMzQiCiAgfQp9Cg== 31 | mode: 420 32 | overwrite: true 33 | path: /etc/kubernetes/openshift-workload-pinning 34 | user: 35 | name: root 36 | -------------------------------------------------------------------------------- /sample-manifests/automation/rhacm-alone/acm-prereqs/00_pre-reqs.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: ztp-clusters 6 | --- 7 | apiVersion: rbac.authorization.k8s.io/v1 8 | kind: ClusterRoleBinding 9 | metadata: 10 | name: open-cluster-management:subscription-admin 11 | roleRef: 12 | apiGroup: rbac.authorization.k8s.io 13 | kind: ClusterRole 14 | name: open-cluster-management:subscription-admin 15 | subjects: 16 | - apiGroup: rbac.authorization.k8s.io 17 | kind: User 18 | name: kube:admin 19 | - apiGroup: rbac.authorization.k8s.io 20 | kind: User 21 | name: system:admin 22 | --- 23 | apiVersion: apps.open-cluster-management.io/v1 24 | kind: Channel 25 | metadata: 26 | name: ztp-repository 27 | namespace: ztp-clusters 28 | spec: 29 | type: Git 30 | pathname: http://dummy:dummy@[2000:3220:1099::11]:3000/faredge-ztp/faregde-ztp.git 31 | --- 32 | apiVersion: apps.open-cluster-management.io/v1 33 | kind: PlacementRule 34 | metadata: 35 | name: local-cluster-placement 36 | namespace: ztp-clusters 37 | annotations: {} 38 | labels: 39 | app: cluster-deployments 40 | spec: 41 | clusterSelector: 42 | matchLabels: 43 | local-cluster: 'true' 44 | --- 45 | apiVersion: apps.open-cluster-management.io/v1 46 | kind: Subscription 47 | metadata: 48 | name: acm-prereqs-subscription 49 | namespace: ztp-clusters 50 | annotations: 51 | apps.open-cluster-management.io/git-branch: master 52 | apps.open-cluster-management.io/git-path: acm-prereqs/ 53 | apps.open-cluster-management.io/reconcile-option: merge 54 | labels: 55 | app: acm-prereqs 56 | app.kubernetes.io/part-of: acm-prereqs 57 | spec: 58 | channel: ztp-clusters/ztp-repository 59 | placement: 60 | placementRef: 61 | name: local-cluster-placement 62 | kind: PlacementRule 63 | -------------------------------------------------------------------------------- /sample-manifests/automation/rhacm-argocd/gitops-templates/hub-prereqs/01_clusterimageset.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: hive.openshift.io/v1 3 | kind: ClusterImageSet 4 | metadata: 5 | name: openshift-v4.8.0 6 | namespace: open-cluster-management 7 | spec: 8 | releaseImage: bm-cluster-1-hyper.e2e.bos.redhat.com:5000/ocp4:4.8.2-x86_64 9 | --- 10 | apiVersion: hive.openshift.io/v1 11 | kind: ClusterImageSet 12 | metadata: 13 | name: openshift-v4.8.2 14 | namespace: open-cluster-management 15 | spec: 16 | releaseImage: bm-cluster-1-hyper.e2e.bos.redhat.com:5000/ocp4:4.8.2-x86_64 17 | --- 18 | apiVersion: hive.openshift.io/v1 19 | kind: ClusterImageSet 20 | metadata: 21 | name: openshift-v4.8.5 22 | namespace: open-cluster-management 23 | spec: 24 | releaseImage: bm-cluster-1-hyper.e2e.bos.redhat.com:5000/ocp4:4.8.5-x86_64 25 | --- 26 | apiVersion: hive.openshift.io/v1 27 | kind: ClusterImageSet 28 | metadata: 29 | name: openshift-v4.8.10 30 | namespace: open-cluster-management 31 | spec: 32 | releaseImage: bm-cluster-1-hyper.e2e.bos.redhat.com:5000/ocp4:4.8.10-x86_64 33 | --- 34 | apiVersion: hive.openshift.io/v1 35 | kind: ClusterImageSet 36 | metadata: 37 | name: openshift-v4.8.11 38 | namespace: open-cluster-management 39 | spec: 40 | releaseImage: bm-cluster-1-hyper.e2e.bos.redhat.com:5000/ocp4:4.8.11-x86_64 41 | --- 42 | apiVersion: hive.openshift.io/v1 43 | kind: ClusterImageSet 44 | metadata: 45 | name: openshift-v4.8.12 46 | namespace: open-cluster-management 47 | spec: 48 | releaseImage: bm-cluster-1-hyper.e2e.bos.redhat.com:5000/ocp4:4.8.12-x86_64 49 | --- 50 | apiVersion: hive.openshift.io/v1 51 | kind: ClusterImageSet 52 | metadata: 53 | name: openshift-v4.8.13 54 | namespace: open-cluster-management 55 | spec: 56 | releaseImage: bm-cluster-1-hyper.e2e.bos.redhat.com:5000/ocp4:4.8.13-x86_64 57 | -------------------------------------------------------------------------------- /sample-manifests/automation/rhacm-argocd/gitops-templates/hub-prereqs/00_pre-reqs.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: ztp-clusters 6 | --- 7 | apiVersion: rbac.authorization.k8s.io/v1 8 | kind: ClusterRoleBinding 9 | metadata: 10 | name: open-cluster-management:subscription-admin 11 | roleRef: 12 | apiGroup: rbac.authorization.k8s.io 13 | kind: ClusterRole 14 | name: open-cluster-management:subscription-admin 15 | subjects: 16 | - apiGroup: rbac.authorization.k8s.io 17 | kind: User 18 | name: kube:admin 19 | - apiGroup: rbac.authorization.k8s.io 20 | kind: User 21 | name: system:admin 22 | --- 23 | apiVersion: apps.open-cluster-management.io/v1 24 | kind: Channel 25 | metadata: 26 | name: ztp-repository 27 | namespace: ztp-clusters 28 | spec: 29 | type: Git 30 | pathname: http://dummy:dummy@bm-cluster-1-hyper.e2e.bos.redhat.com:3000/faredge-ztp/faregde-ztp.git 31 | --- 32 | apiVersion: apps.open-cluster-management.io/v1 33 | kind: PlacementRule 34 | metadata: 35 | name: local-cluster-placement 36 | namespace: ztp-clusters 37 | annotations: {} 38 | labels: 39 | app: cluster-deployments 40 | spec: 41 | clusterSelector: 42 | matchLabels: 43 | local-cluster: 'true' 44 | --- 45 | apiVersion: apps.open-cluster-management.io/v1 46 | kind: Subscription 47 | metadata: 48 | name: acm-prereqs-subscription 49 | namespace: ztp-clusters 50 | annotations: 51 | apps.open-cluster-management.io/git-branch: master 52 | apps.open-cluster-management.io/git-path: FE-PolicyGen/acm-prereqs 53 | apps.open-cluster-management.io/reconcile-option: merge 54 | labels: 55 | app: acm-prereqs 56 | app.kubernetes.io/part-of: acm-prereqs 57 | spec: 58 | channel: ztp-clusters/ztp-repository 59 | placement: 60 | placementRef: 61 | name: local-cluster-placement 62 | kind: PlacementRule 63 | -------------------------------------------------------------------------------- /.pre-commit-config.yaml: -------------------------------------------------------------------------------- 1 | fail_fast: true 2 | repos: 3 | - repo: meta 4 | hooks: 5 | - id: check-useless-excludes 6 | - repo: https://github.com/pre-commit/mirrors-prettier 7 | rev: v2.3.1 8 | hooks: 9 | - id: prettier 10 | files: \.(css|js|md|markdown|json) 11 | - repo: https://github.com/python/black 12 | rev: 21.6b0 13 | hooks: 14 | - id: black 15 | - repo: https://github.com/pre-commit/pre-commit-hooks 16 | rev: v4.0.1 17 | hooks: 18 | - id: check-added-large-files 19 | - id: check-ast 20 | - id: check-case-conflict 21 | # - id: check-executables-have-shebangs 22 | - id: check-json 23 | - id: check-merge-conflict 24 | - id: check-symlinks 25 | - id: check-vcs-permalinks 26 | - id: check-xml 27 | - id: check-yaml 28 | args: 29 | - --unsafe 30 | - id: end-of-file-fixer 31 | - id: fix-encoding-pragma 32 | - id: forbid-new-submodules 33 | - id: no-commit-to-branch 34 | args: 35 | - --branch 36 | - gh-pages 37 | - id: requirements-txt-fixer 38 | - id: sort-simple-yaml 39 | - id: trailing-whitespace 40 | - repo: https://gitlab.com/pycqa/flake8 41 | rev: 3.9.2 42 | hooks: 43 | - id: flake8 44 | - repo: local 45 | hooks: 46 | - id: shfmt 47 | name: shfmt 48 | minimum_pre_commit_version: 2.4.0 49 | language: golang 50 | additional_dependencies: 51 | - mvdan.cc/sh/v3/cmd/shfmt@v3.1.1 52 | entry: shfmt 53 | args: 54 | - -w 55 | - -i 56 | - '0' 57 | types: 58 | - shell 59 | - repo: https://github.com/asottile/blacken-docs 60 | rev: v1.10.0 61 | hooks: 62 | - id: blacken-docs 63 | #- repo: https://github.com/hcodes/yaspeller.git 64 | # rev: v7.0.0 65 | # hooks: 66 | # - id: yaspeller 67 | # types: 68 | # - markdown 69 | -------------------------------------------------------------------------------- /tools/acm-downstream-image-sync.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | export PULL_SECRET_JSON=~/pull-secret.json 3 | export LOCAL_REGISTRY=$(hostname):5000 4 | export SNAPSHOT=2.3.0-DOWNSTREAM-2021-06-16-09-34-33 5 | export ACM_OP_BUNDLE=v2.3.0-127 6 | export IMAGE_INDEX=quay.io/acm-d/acm-custom-registry 7 | export BUILD_FOLDER=./build 8 | export REMOTE_REGISTRY=quay.io:443/acm-d 9 | 10 | # Clean previous tries 11 | rm -rf ${BUILD_FOLDER} 12 | 13 | # Copy ACM Custom Registry index and bundle images 14 | echo 15 | echo ">>>>>>>>>>>>>>> Cloning the Index and Bundle images..." 16 | skopeo copy --authfile ${PULL_SECRET_JSON} docker://quay.io/acm-d/acm-custom-registry:${SNAPSHOT} docker://${LOCAL_REGISTRY}/rhacm2/acm-custom-registry:${SNAPSHOT} --all 17 | skopeo copy --authfile ${PULL_SECRET_JSON} docker://quay.io/acm-d/acm-operator-bundle:${ACM_OP_BUNDLE} docker://${LOCAL_REGISTRY}/rhacm2/acm-operator-bundle:${ACM_OP_BUNDLE} --all 18 | 19 | # Generate Mapping.txt 20 | echo 21 | echo ">>>>>>>>>>>>>>> Creating mapping assets..." 22 | oc adm -a ${PULL_SECRET_JSON} catalog mirror ${IMAGE_INDEX}:${SNAPSHOT} ${LOCAL_REGISTRY} --manifests-only --to-manifests=${BUILD_FOLDER} 23 | 24 | # Replace the upstream registry by the downstream one 25 | sed -i s#registry.redhat.io/rhacm2/#${REMOTE_REGISTRY}/# ${BUILD_FOLDER}/mapping.txt 26 | 27 | # Mirror the images into your mirror registry. 28 | echo 29 | echo ">>>>>>>>>>>>>>> Mirroring images..." 30 | oc image mirror -f ${BUILD_FOLDER}/mapping.txt -a ${PULL_SECRET_JSON} --filter-by-os=.* --keep-manifest-list --continue-on-error=true 31 | 32 | echo ">>>>>>>>>>>>>>> Copying images via skopeo..." 33 | for image in $(cat ${BUILD_FOLDER}/mapping.txt) 34 | do 35 | IFS='=' 36 | declare -a FIELDS=($image) 37 | echo "skopeo copy --authfile ${PULL_SECRET_JSON} docker://${FIELDS[0]} docker://${FIELDS[1]} --all" 38 | skopeo copy --authfile ${PULL_SECRET_JSON} docker://${FIELDS[0]} docker://${FIELDS[1]} --all 39 | done 40 | 41 | echo 42 | echo "export CUSTOM_REGISTRY_REPO=${LOCAL_REGISTRY}/rhacm2" 43 | echo "export DEFAULT_SNAPSHOT=${SNAPSHOT}" 44 | 45 | -------------------------------------------------------------------------------- /docs/prerequirements/mirror-ocp-release.md: -------------------------------------------------------------------------------- 1 | Table of contents: 2 | 3 | 4 | 5 | - [Mirror the OCP Release](#mirror-the-ocp-release) 6 | - [Demo video](https://www.youtube.com/watch?v=V-0n1-pBtjw&list=PLaR6Rq6Z4IqecDatkODye7IWMJUc5r6td&index=5) 7 | 8 | 9 | 10 | # Mirror the OCP Release 11 | 12 | I think you already did this for the Hub cluster deployment but let's review it. 13 | 14 | **Remember** This is a supported step and it's officially documented here: https://docs.openshift.com/container-platform/4.7/installing/installing-mirroring-installation-images.html#installing-mirroring-installation-images 15 | 16 | Said that let's go through the process. 17 | 18 | First thing we need it's the `oc` client, to best way to do it's downloading from [here](https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/oc/), but if you have already one even if it's outdated, you can use this script: 19 | 20 | ```sh 21 | #!/bin/bash 22 | 23 | ## Variables 24 | export PULL_SECRET_JSON=$(pwd)/pull_secret.json 25 | export LOCAL_REGISTRY=$(hostname):5000 26 | export LOCAL_REPOSITORY=ocp4 27 | export OCP_RELEASE=4.8.0-fc.9-x86_64 28 | export OCP_REGISTRY=quay.io/openshift-release-dev/ocp-release 29 | 30 | ## Functional 31 | function ocp_mirror_release() { 32 | oc adm -a ${PULL_SECRET_JSON} release mirror \ 33 | --from=${OCP_REGISTRY}:${OCP_RELEASE} \ 34 | --to=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY} \ 35 | --to-release-image=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE} 36 | } 37 | 38 | function download_oc_client() { 39 | oc adm --registry-config ${PULL_SECRET_JSON} release extract \ 40 | --command=oc \ 41 | --from=${OCP_REGISTRY}:${OCP_RELEASE} \ 42 | --to . 43 | 44 | if [[ ! -f oc ]];then 45 | echo "OC Client wasn't extracted, exiting..." 46 | exit 1 47 | fi 48 | 49 | mv oc /home/kni/bin/oc 50 | } 51 | 52 | download_oc_client 53 | ocp_mirror_release 54 | ``` 55 | 56 | Executing this script should be ok to download and update the `oc` client and also mirror the OpenShift Release, so ensure you add the relevant `ImageContentSourcePolicies` to your `InstallConfig` for the Hub deployment and also for the Spoke deployments that we will explain in a later section. 57 | -------------------------------------------------------------------------------- /.yaspeller.json: -------------------------------------------------------------------------------- 1 | { 2 | "ignoreUrls": true, 3 | "findRepeatWords": true, 4 | "maxRequests": 5, 5 | "ignoreDigits": true, 6 | "lang": "en", 7 | "dictionary": [ 8 | "cnf", 9 | "deployable", 10 | "ArgoCD", 11 | "PolicyGenerator", 12 | "CNF", 13 | "ETCD", 14 | "SNOs", 15 | "envs", 16 | "GitOps", 17 | "SA", 18 | "CLI", 19 | "ClusterImageSets", 20 | "DisconnectedMirror", 21 | "CatalogSources", 22 | "SRIOV", 23 | "FEC", 24 | "ManagedNode", 25 | "WorkloadProfile", 26 | "acm", 27 | "ClusterRoleBinding", 28 | "configs", 29 | "PlacementRule", 30 | "MultiClusterHub", 31 | "acm-d", 32 | "namespaced", 33 | "io", 34 | "repo", 35 | "AssistedServiceConfig", 36 | "NS", 37 | "CR is", 38 | "Klusterlet", 39 | "mirrorRegistry", 40 | "hostname", 41 | "hubAcceptsClient", 42 | "KlusterletAddonConfig", 43 | "ManagedCluster", 44 | "NameSpace", 45 | "Prov", 46 | "routable", 47 | "ACI", 48 | "KlusterletAddonConfig", 49 | "Repo", 50 | "prereqs", 51 | "MultiClusterHub", 52 | "icsp", 53 | "yaml", 54 | "ACM", 55 | "AgentClusterInstall", 56 | "AgentServiceConfig", 57 | "AsistedServiceConfig", 58 | "BareMetal", 59 | "BareMetalHost", 60 | "BareMetalHosts", 61 | "BMC", 62 | "BMH", 63 | "CA", 64 | "ClusterDeployment", 65 | "ClusterImageSet", 66 | "ClusterName", 67 | "ConfigMap", 68 | "ControlPlane", 69 | "CR's", 70 | "CR", 71 | "CRD", 72 | "FeatureGate", 73 | "HiveConfig", 74 | "htpasswd", 75 | "InfraEnv's", 76 | "InfraEnv", 77 | "IPI", 78 | "ISOs", 79 | "KUBECONFIG", 80 | "LiveISO", 81 | "Metal³", 82 | "Multinode", 83 | "NMState", 84 | "OCP", 85 | "OLM", 86 | "OpenShift", 87 | "OperatorHub", 88 | "podman", 89 | "PullSecret's", 90 | "PullSecret", 91 | "PVs", 92 | "PXE", 93 | "Redfish", 94 | "RHACM", 95 | "RHCOS", 96 | "RootFS", 97 | "RWN", 98 | "SaaS", 99 | "SNO", 100 | "Telco", 101 | "UI", 102 | "VLAN", 103 | "ZTP", 104 | "Lifecycle", 105 | "ICSP", 106 | "workaround", 107 | "QE", 108 | "DEV", 109 | "Baremetal", 110 | "OpenStack", 111 | "QEMU" 112 | ] 113 | } 114 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Byte-compiled / optimized / DLL files 2 | __pycache__/ 3 | *.py[cod] 4 | *$py.class 5 | 6 | # C extensions 7 | *.so 8 | 9 | # Distribution / packaging 10 | .Python 11 | build/ 12 | develop-eggs/ 13 | dist/ 14 | downloads/ 15 | eggs/ 16 | .eggs/ 17 | lib/ 18 | lib64/ 19 | parts/ 20 | sdist/ 21 | var/ 22 | wheels/ 23 | pip-wheel-metadata/ 24 | share/python-wheels/ 25 | *.egg-info/ 26 | .installed.cfg 27 | *.egg 28 | MANIFEST 29 | 30 | # PyInstaller 31 | # Usually these files are written by a python script from a template 32 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 33 | *.manifest 34 | *.spec 35 | 36 | # Installer logs 37 | pip-log.txt 38 | pip-delete-this-directory.txt 39 | 40 | # Unit test / coverage reports 41 | htmlcov/ 42 | .tox/ 43 | .nox/ 44 | .coverage 45 | .coverage.* 46 | .cache 47 | nosetests.xml 48 | coverage.xml 49 | *.cover 50 | *.py,cover 51 | .hypothesis/ 52 | .pytest_cache/ 53 | 54 | # Translations 55 | *.mo 56 | *.pot 57 | 58 | # Django stuff: 59 | *.log 60 | local_settings.py 61 | db.sqlite3 62 | db.sqlite3-journal 63 | 64 | # Flask stuff: 65 | instance/ 66 | .webassets-cache 67 | 68 | # Scrapy stuff: 69 | .scrapy 70 | 71 | # JetBrains stuff: 72 | .idea 73 | *.iml 74 | 75 | # Sphinx documentation 76 | docs/_build/ 77 | 78 | # PyBuilder 79 | target/ 80 | 81 | # Jupyter Notebook 82 | .ipynb_checkpoints 83 | 84 | # IPython 85 | profile_default/ 86 | ipython_config.py 87 | 88 | # pyenv 89 | .python-version 90 | 91 | # pipenv 92 | # According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. 93 | # However, in case of collaboration, if having platform-specific dependencies or dependencies 94 | # having no cross-platform support, pipenv may install dependencies that don't work, or not 95 | # install all needed dependencies. 96 | #Pipfile.lock 97 | 98 | # PEP 582; used by e.g. github.com/David-OConnor/pyflow 99 | __pypackages__/ 100 | 101 | # Celery stuff 102 | celerybeat-schedule 103 | celerybeat.pid 104 | 105 | # SageMath parsed files 106 | *.sage.py 107 | 108 | # Environments 109 | .env 110 | .venv 111 | env/ 112 | venv/ 113 | ENV/ 114 | env.bak/ 115 | venv.bak/ 116 | 117 | # Spyder project settings 118 | .spyderproject 119 | .spyproject 120 | 121 | # Rope project settings 122 | .ropeproject 123 | 124 | # mkdocs documentation 125 | /site 126 | 127 | # mypy 128 | .mypy_cache/ 129 | .dmypy.json 130 | dmypy.json 131 | 132 | # Pyre type checker 133 | .pyre/ 134 | -------------------------------------------------------------------------------- /sample-manifests/automation/rhacm-argocd/gitops-templates/hub-prereqs/05_gitops-operator-icsp.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: operator.openshift.io/v1alpha1 2 | kind: ImageContentSourcePolicy 3 | metadata: 4 | name: gitops-operator-icsp 5 | spec: 6 | repositoryDigestMirrors: 7 | - mirrors: 8 | - bm-cluster-1-hyper.e2e.bos.redhat.com:5000/olm/openshift-gitops-1-tech-preview-gitops-rhel8-operator 9 | source: registry.redhat.io/openshift-gitops-1-tech-preview/gitops-rhel8-operator 10 | - mirrors: 11 | - bm-cluster-1-hyper.e2e.bos.redhat.com:5000/olm/openshift-gitops-1-kam-delivery-rhel8 12 | source: registry.redhat.io/openshift-gitops-1/kam-delivery-rhel8 13 | - mirrors: 14 | - bm-cluster-1-hyper.e2e.bos.redhat.com:5000/olm/openshift-gitops-1-tech-preview-kam-delivery-rhel8 15 | source: registry.redhat.io/openshift-gitops-1-tech-preview/kam-delivery-rhel8 16 | - mirrors: 17 | - bm-cluster-1-hyper.e2e.bos.redhat.com:5000/olm/openshift-gitops-1-gitops-rhel8 18 | source: registry.redhat.io/openshift-gitops-1/gitops-rhel8 19 | - mirrors: 20 | - bm-cluster-1-hyper.e2e.bos.redhat.com:5000/olm/openshift-gitops-1-tech-preview-gitops-rhel8 21 | source: registry.redhat.io/openshift-gitops-1-tech-preview/gitops-rhel8 22 | - mirrors: 23 | - bm-cluster-1-hyper.e2e.bos.redhat.com:5000/olm/openshift-gitops-1-gitops-rhel8-operator 24 | source: registry.redhat.io/openshift-gitops-1/gitops-rhel8-operator 25 | - mirrors: 26 | - bm-cluster-1-hyper.e2e.bos.redhat.com:5000/olm/openshift-gitops-1-applicationset-rhel8 27 | source: registry.redhat.io/openshift-gitops-1/applicationset-rhel8 28 | - mirrors: 29 | - bm-cluster-1-hyper.e2e.bos.redhat.com:5000/olm/openshift-gitops-1-tech-preview-gitops-operator-bundle 30 | source: registry.redhat.io/openshift-gitops-1-tech-preview/gitops-operator-bundle 31 | - mirrors: 32 | - bm-cluster-1-hyper.e2e.bos.redhat.com:5000/olm/openshift-gitops-1-tech-preview-argocd-rhel8 33 | source: registry.redhat.io/openshift-gitops-1-tech-preview/argocd-rhel8 34 | - mirrors: 35 | - bm-cluster-1-hyper.e2e.bos.redhat.com:5000/olm/openshift-gitops-1-gitops-operator-bundle 36 | source: registry.redhat.io/openshift-gitops-1/gitops-operator-bundle 37 | - mirrors: 38 | - bm-cluster-1-hyper.e2e.bos.redhat.com:5000/olm/openshift-gitops-1-argocd-rhel8 39 | source: registry.redhat.io/openshift-gitops-1/argocd-rhel8 40 | - mirrors: 41 | - bm-cluster-1-hyper.e2e.bos.redhat.com:5000/olm/rhel8-redis-5 42 | source: registry.redhat.io/rhel8/redis-5 43 | - mirrors: 44 | - bm-cluster-1-hyper.e2e.bos.redhat.com:5000/olm/rh-sso-7-sso74-openshift-rhel8 45 | source: registry.redhat.io/rh-sso-7/sso74-openshift-rhel8 46 | - mirrors: 47 | - bm-cluster-1-hyper.e2e.bos.redhat.com:5000/olm/openshift4-ose-haproxy-router 48 | source: registry.redhat.io/openshift4/ose-haproxy-router 49 | - mirrors: 50 | - bm-cluster-1-hyper.e2e.bos.redhat.com:5000/redhat_emp1/ztp-site-generator 51 | source: quay.io/redhat_emp1/ztp-site-generator 52 | -------------------------------------------------------------------------------- /sample-manifests/automation/rhacm-alone/cnf-operators/pao/policy-pao48.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: policy.open-cluster-management.io/v1 3 | kind: Policy 4 | metadata: 5 | name: policy-pao-operator 6 | annotations: 7 | policy.open-cluster-management.io/standards: NIST SP 800-53 8 | policy.open-cluster-management.io/categories: CM Configuration Management 9 | policy.open-cluster-management.io/controls: CM-2 Baseline Configuration 10 | spec: 11 | remediationAction: enforce 12 | disabled: false 13 | policy-templates: 14 | - objectDefinition: 15 | apiVersion: policy.open-cluster-management.io/v1 16 | kind: ConfigurationPolicy 17 | metadata: 18 | name: policy-pao-subscription 19 | spec: 20 | remediationAction: enforce # the policy-template spec.remediationAction is overridden by the preceding parameter value for spec.remediationAction. 21 | severity: low 22 | namespaceSelector: 23 | exclude: ["kube-*"] 24 | include: ["*"] 25 | object-templates: 26 | ## Namespace 27 | - complianceType: musthave 28 | objectDefinition: 29 | apiVersion: v1 30 | kind: Namespace 31 | metadata: 32 | name: openshift-performance-addon-operator 33 | annotations: 34 | workload.openshift.io/allowed: management 35 | labels: 36 | openshift.io/cluster-monitoring: "true" 37 | spec: {} 38 | ## OperatorGroup 39 | - complianceType: musthave 40 | objectDefinition: 41 | apiVersion: operators.coreos.com/v1 42 | kind: OperatorGroup 43 | metadata: 44 | name: performance-addon-operator 45 | namespace: openshift-performance-addon-operator 46 | ## Subscription 47 | - complianceType: musthave 48 | objectDefinition: 49 | apiVersion: operators.coreos.com/v1alpha1 50 | kind: Subscription 51 | metadata: 52 | name: performance-addon-operator-subscription 53 | namespace: openshift-performance-addon-operator 54 | spec: 55 | channel: "4.8" 56 | name: performance-addon-operator 57 | source: redhat-operator-index 58 | sourceNamespace: openshift-marketplace 59 | --- 60 | apiVersion: policy.open-cluster-management.io/v1 61 | kind: PlacementBinding 62 | metadata: 63 | name: binding-policy-pao 64 | placementRef: 65 | name: placement-policy-pao 66 | kind: PlacementRule 67 | apiGroup: apps.open-cluster-management.io 68 | subjects: 69 | - name: policy-pao-operator 70 | kind: Policy 71 | apiGroup: policy.open-cluster-management.io 72 | --- 73 | apiVersion: apps.open-cluster-management.io/v1 74 | kind: PlacementRule 75 | metadata: 76 | name: placement-policy-pao 77 | spec: 78 | clusterConditions: 79 | - status: "True" 80 | type: ManagedClusterJoined 81 | clusterSelector: 82 | matchExpressions: 83 | - {key: pao, operator: In, values: ["true"]} 84 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | - [ZTP For Telco Edge 5G](#ztp-for-telco-edge-5g) 4 | - [What is ZTP?](#what-is-ztp) 5 | - [Context on ZTP architecture](#context-on-ztp-architecture) 6 | - [Disconnected ZTP Flow](#disconnected-ztp-flow) 7 | - [Connected ZTP Flow](#connected-ztp-flow) 8 | - [ZTP Hub Components](#ztp-hub-components) 9 | - [How to start with ZTP?](#how-to-start-with-ztp) 10 | 11 | 12 | 13 | # ZTP For Telco Edge 5G 14 | 15 | Here, we will collect all the info around the ZTP flow, which are the preferred scenarios, the steps to follow and much more. Let's get started from the beginning with some context and theory. 16 | 17 | ## What is ZTP? 18 | 19 | ZTP stands for Zero Touch Provisioning, a project to deploy and deliver OpenShift 4 in a HUB-SPOKE architecture (in a relation of 1-N), where the HUB will manage many Spokes. The Hub and the Spokes will be based on OpenShift 4 but with the difference that the HUB cluster will manage and deploy the spokes using RHACM (Red Hat Advanced Cluster Management). 20 | 21 | **Why Zero Touch Provisioning If I need to deploy some things by hand?**, well this is a fair question, we need to have a consistent base for the hub to perform the Spoke deployments and for that we need to deploy OpenShift Container Platform 4 (On an IPI way) if not we will have the egg-chicken issue. 22 | 23 | **Why is this related with Single Node OpenShift (SNO) and Remote Worker Node (RWN)?**, in the 5G world exists some areas called RAN (Radio Access Network) here we have some scenarios but the important points here is, SNO will be mostly on the D-RAN places and eventually on C-RAN ones, this happens in the same way with RWN. 24 | 25 | ## Context on ZTP architecture 26 | 27 | On a high level view, we have two scenarios, the connected world and the disconnected world which means, that your OpenShift nodes can access directly to the Internet or not. From here we need to separate them in two ways to follow. the disconnected one will need to fill some pre-requisites before the action starts, let's take a look to some diagrams: 28 | 29 | ### Disconnected ZTP Flow 30 | 31 | ![](/assets/ztp-flow-disconnected.png) 32 | 33 | ### Connected ZTP Flow 34 | 35 | ![](/assets/ztp-flow-connected.png) 36 | 37 | These are the steps 1-by-1 that we need to follow in order to deploy every element of ZTP, including the Hub and the Spoke cluster. As you see, there are some differences between those but mostly on the pre-requisites side. 38 | 39 | ### ZTP Hub Components 40 | 41 | Here we will need some basic components, the OpenShift Hub cluster will need at least: 42 | 43 | - OpenShift Container Platform version 4 in a IPI deployment way (which includes Metal³ pods) 44 | - Storage to work with (3 PVs at least to deploy ACM) 45 | - ACM Software available (v2.3.0) 46 | - Hive 47 | - Assisted Installer 48 | - The manifests to create the Spoke clusters 49 | - The BareMetal nodes to deploy OpenShift on top of them 50 | 51 | ## How to start with ZTP? 52 | 53 | Well, we can discover how to deal with ZTP following these steps: 54 | 55 | - Pre-Requirements Phase (**Optional just for Disconnected cases**) 56 | - [**Host Internal resources (Registry and HTTPD)**](/docs/prerequirements/host-internal-resources.md) 57 | - [**Mirror OCP Release**](/docs/prerequirements/mirror-ocp-release.md) 58 | - [**Mirror OLM Marketplace**](/docs/prerequirements/mirror-olm.md) 59 | - [Disconnected ZTP Flow Hub deployment](/docs/disconnected-ZTP-flow-hub-deployment.md) 60 | - [Connected ZTP Flow Hub deployment](/docs/connected-ZTP-flow-hub-deployment.md) 61 | 62 | **NOTE:** A series of demonstration videos showing the entire process for disconnected environments is available [here](https://www.youtube.com/playlist?list=PLaR6Rq6Z4IqecDatkODye7IWMJUc5r6td) 63 | 64 | From here we can experiment a bit more with the massive Deployments and Policies with ACM, for that we will create a new section 65 | 66 | - [Automation and Massive deployments with ZTP](/docs/automation-massive-deployments-ztp.md) 67 | -------------------------------------------------------------------------------- /sample-manifests/automation/rhacm-alone/cnf-operators/sriov/policy-sriov-operator.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: policy.open-cluster-management.io/v1 3 | kind: Policy 4 | metadata: 5 | name: policy-sriov-operator 6 | annotations: 7 | policy.open-cluster-management.io/standards: NIST SP 800-53 8 | policy.open-cluster-management.io/categories: CM Configuration Management 9 | policy.open-cluster-management.io/controls: CM-2 Baseline Configuration 10 | spec: 11 | remediationAction: enforce 12 | disabled: false 13 | policy-templates: 14 | - objectDefinition: 15 | apiVersion: policy.open-cluster-management.io/v1 16 | kind: ConfigurationPolicy 17 | metadata: 18 | name: policy-sriov-subscription 19 | spec: 20 | remediationAction: enforce # the policy-template spec.remediationAction is overridden by the preceding parameter value for spec.remediationAction. 21 | severity: low 22 | namespaceSelector: 23 | exclude: ["kube-*"] 24 | include: ["*"] 25 | object-templates: 26 | ## Namespace 27 | - complianceType: musthave 28 | objectDefinition: 29 | apiVersion: v1 30 | kind: Namespace 31 | metadata: 32 | name: openshift-sriov-network-operator 33 | annotations: 34 | workload.openshift.io/allowed: management 35 | labels: 36 | openshift.io/run-level: "1" 37 | ## OperatorGroup 38 | - complianceType: musthave 39 | objectDefinition: 40 | apiVersion: operators.coreos.com/v1 41 | kind: OperatorGroup 42 | metadata: 43 | name: sriov-network-operators 44 | namespace: openshift-sriov-network-operator 45 | spec: 46 | targetNamespaces: 47 | - openshift-sriov-network-operator 48 | ## Subscription 49 | - complianceType: musthave 50 | objectDefinition: 51 | apiVersion: operators.coreos.com/v1alpha1 52 | kind: Subscription 53 | metadata: 54 | name: sriov-network-operator-subscription 55 | namespace: openshift-sriov-network-operator 56 | spec: 57 | channel: "4.8" 58 | name: sriov-network-operator 59 | source: redhat-operator-index 60 | sourceNamespace: openshift-marketplace 61 | ## OperatorConfig 62 | - complianceType: musthave 63 | objectDefinition: 64 | apiVersion: sriovnetwork.openshift.io/v1 65 | kind: SriovOperatorConfig 66 | metadata: 67 | name: default 68 | namespace: openshift-sriov-network-operator 69 | spec: 70 | enableInjector: true 71 | enableOperatorWebhook: true 72 | configDaemonNodeSelector: 73 | "node-role.kubernetes.io/master": "" 74 | disableDrain: false 75 | --- 76 | apiVersion: policy.open-cluster-management.io/v1 77 | kind: PlacementBinding 78 | metadata: 79 | name: binding-policy-sriov 80 | placementRef: 81 | name: placement-policy-sriov 82 | kind: PlacementRule 83 | apiGroup: apps.open-cluster-management.io 84 | subjects: 85 | - name: policy-sriov-operator 86 | kind: Policy 87 | apiGroup: policy.open-cluster-management.io 88 | --- 89 | apiVersion: apps.open-cluster-management.io/v1 90 | kind: PlacementRule 91 | metadata: 92 | name: placement-policy-sriov 93 | spec: 94 | clusterConditions: 95 | - status: "True" 96 | type: ManagedClusterJoined 97 | clusterSelector: 98 | matchExpressions: 99 | - {key: sriov, operator: In, values: ["true"]} 100 | -------------------------------------------------------------------------------- /sample-manifests/automation/rhacm-alone/acm/ztp-applications.yaml: -------------------------------------------------------------------------------- 1 | ## Cluster Deployments 2 | --- 3 | apiVersion: app.k8s.io/v1beta1 4 | kind: Application 5 | metadata: 6 | name: cluster-deployments 7 | namespace: ztp-clusters 8 | annotations: 9 | apps.open-cluster-management.io/deployables: '' 10 | spec: 11 | componentKinds: 12 | - group: apps.open-cluster-management.io 13 | kind: Subscription 14 | descriptor: {} 15 | selector: 16 | matchExpressions: 17 | - key: app 18 | operator: In 19 | values: 20 | - cluster-deployments 21 | --- 22 | apiVersion: apps.open-cluster-management.io/v1 23 | kind: Subscription 24 | metadata: 25 | name: cluster-deployments-subscription 26 | namespace: ztp-clusters 27 | annotations: 28 | apps.open-cluster-management.io/git-branch: main 29 | apps.open-cluster-management.io/git-path: clusters/ 30 | apps.open-cluster-management.io/reconcile-option: merge 31 | labels: 32 | app: cluster-deployments 33 | app.kubernetes.io/part-of: cluster-deployments 34 | spec: 35 | channel: ztp-clusters/ztp-repository 36 | placement: 37 | placementRef: 38 | name: local-cluster-placement 39 | kind: PlacementRule 40 | --- 41 | apiVersion: apps.open-cluster-management.io/v1 42 | kind: PlacementRule 43 | metadata: 44 | name: local-cluster-placement 45 | namespace: ztp-clusters 46 | annotations: {} 47 | labels: 48 | app: cluster-deployments 49 | app.kubernetes.io/part-of: cluster-deployments 50 | spec: 51 | clusterSelector: 52 | matchLabels: 53 | local-cluster: 'true' 54 | 55 | ## CNF Operators 56 | --- 57 | apiVersion: app.k8s.io/v1beta1 58 | kind: Application 59 | metadata: 60 | name: cnf-operators 61 | namespace: ztp-clusters 62 | annotations: 63 | apps.open-cluster-management.io/deployables: '' 64 | spec: 65 | componentKinds: 66 | - group: apps.open-cluster-management.io 67 | kind: Subscription 68 | descriptor: {} 69 | selector: 70 | matchExpressions: 71 | - key: app 72 | operator: In 73 | values: 74 | - cnf-operators 75 | --- 76 | apiVersion: apps.open-cluster-management.io/v1 77 | kind: Subscription 78 | metadata: 79 | name: cnf-operators-subscription-1 80 | namespace: ztp-clusters 81 | annotations: 82 | apps.open-cluster-management.io/git-branch: main 83 | apps.open-cluster-management.io/git-path: cnf-operators/ 84 | apps.open-cluster-management.io/reconcile-option: merge 85 | labels: 86 | app: cnf-operators 87 | app.kubernetes.io/part-of: cnf-operators 88 | spec: 89 | channel: ztp-clusters/ztp-repository 90 | placement: 91 | placementRef: 92 | name: local-cluster-placement 93 | kind: PlacementRule 94 | 95 | ## CNF Operators CFG 96 | --- 97 | apiVersion: app.k8s.io/v1beta1 98 | kind: Application 99 | metadata: 100 | name: cnf-operators-configs 101 | namespace: ztp-clusters 102 | annotations: 103 | apps.open-cluster-management.io/deployables: '' 104 | spec: 105 | componentKinds: 106 | - group: apps.open-cluster-management.io 107 | kind: Subscription 108 | descriptor: {} 109 | selector: 110 | matchExpressions: 111 | - key: app 112 | operator: In 113 | values: 114 | - cnf-operators-configs 115 | --- 116 | apiVersion: apps.open-cluster-management.io/v1 117 | kind: Subscription 118 | metadata: 119 | name: cnf-operators-configs-subscription-1 120 | namespace: ztp-clusters 121 | annotations: 122 | apps.open-cluster-management.io/git-branch: main 123 | apps.open-cluster-management.io/git-path: cnf-config/ 124 | apps.open-cluster-management.io/reconcile-option: merge 125 | labels: 126 | app: cnf-operators-configs 127 | app.kubernetes.io/part-of: cnf-operators-configs 128 | spec: 129 | channel: ztp-clusters/ztp-repository 130 | placement: 131 | placementRef: 132 | name: local-cluster-placement 133 | kind: PlacementRule 134 | -------------------------------------------------------------------------------- /docs/prerequirements/acm-downstream-deployment-connected.md: -------------------------------------------------------------------------------- 1 | Table of contents: 2 | 3 | 4 | 5 | - [ACM Downstream Deployment Connected](#acm-downstream-deployment-connected) 6 | - [Permission for Downstream Repo](#permission-for-downstream-repo) 7 | - [ACM Downstream Deployment](#acm-downstream-deployment) 8 | - [ACM Uninstall Process](#acm-uninstall-process) 9 | 10 | 11 | 12 | # ACM Downstream Deployment Connected 13 | 14 | **NOTE**: We are following the same procedure they follow in the `README.md` file from the deployment repository all the things are well explained there, so if you have some doubts that is the right place (even including to [deploy a ACM downstream version](https://github.com/open-cluster-management/deploy#deploying-downstream-builds-snapshots-for-product-quality-engineering) . 15 | 16 | ## Permission for Downstream Repo 17 | 18 | First thing we need to follow the instructions mentioned [here](https://github.com/open-cluster-management/deploy#prepare-to-deploy-open-cluster-management-instance-only-do-once) to request a pull permission for repo **quay.io/acm-d**. 19 | 20 | Then you can verify if you have enough permission: 21 | 22 | ```sh 23 | podman pull --authfile ${PULL_SECRET} quay.io/acm-d/acm-custom-registry:2.3.0-DOWNSTREAM-2021-06-13-16-46-23 24 | ``` 25 | 26 | ## ACM Downstream Deployment 27 | 28 | To deploy an ACM Downstream version in a connected environment, you will need this repository: **https://github.com/open-cluster-management/deploy**, so clone it and we can continue with the process. 29 | 30 | After you clone the repo above, we need to follow these steps: 31 | 32 | - Go to the deploy folder, modify file `snapshot.ver` with the snapshot version you want to deploy 33 | - Then ensure you have 3 PVs (at least) available to be bound 34 | - Follow these [steps](https://github.com/open-cluster-management/deploy#prepare-to-deploy-open-cluster-management-instance-only-do-once) to prepare the pull-secret.yaml under prereqs folder 35 | - Create file icsp.yaml with content below to mirror downstream images to acm-d 36 | 37 | ```yaml 38 | apiVersion: operator.openshift.io/v1alpha1 39 | kind: ImageContentSourcePolicy 40 | metadata: 41 | name: rhacm-repo 42 | spec: 43 | repositoryDigestMirrors: 44 | - mirrors: 45 | - quay.io:443/acm-d 46 | source: registry.redhat.io/rhacm2 47 | - mirrors: 48 | - registry.redhat.io/openshift4/ose-oauth-proxy 49 | source: registry.access.redhat.com/openshift4/ose-oauth-proxy 50 | ``` 51 | 52 | Apply it: 53 | 54 | ```shell 55 | oc apply -f icsp.yaml 56 | ``` 57 | 58 | - You will need to export some variables to the Environment 59 | 60 | ```sh 61 | export KUBECONFIG= 62 | export CUSTOM_REGISTRY_REPO=quay.io:443/acm-d 63 | export COMPOSITE_BUNDLE=true 64 | export DEBUG=true 65 | ``` 66 | 67 | In my case is something like: 68 | 69 | ```sh 70 | export KUBECONFIG=/home/kni/ipv6/mgmt-hub/auth/kubeconfig 71 | export CUSTOM_REGISTRY_REPO=quay.io:443/acm-d 72 | export COMPOSITE_BUNDLE=true 73 | export DEBUG=true 74 | ``` 75 | 76 | - Now we just need to execute the deployment script `start.sh` 77 | 78 | ```sh 79 | ./start.sh --watch 80 | ``` 81 | 82 | - When it finishes, we just need to check that all pods are in running state and the installation process take some time to finish so be patient. 83 | 84 | ``` 85 | oc get pods -n open-cluster-management 86 | ``` 87 | 88 | - After the installation has finished you need to double-check that the MultiClusterHub object has been annotated with your custom registry repo, otherwise the managed cluster won't be able to pull the required images. 89 | 90 | ```sh 91 | oc annotate mch multiclusterhub mch-imageRepository='quay.io:443/acm-d' 92 | ``` 93 | 94 | ## ACM Uninstall Process 95 | 96 | In the typical situation, you just need to delete the subscription and that's it but here it's a bit different so be aware. 97 | 98 | Using the same deploy repository we've seen before, and with the same variables loaded into the environment we just need to execute the `uninstall.sh` script and eventually it will get uninstalled. 99 | -------------------------------------------------------------------------------- /sample-manifests/automation/rhacm-argocd/gitops-templates/site-policies/site-specific-policies/FE-LAB.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: ran.openshift.io/v1 3 | kind: PolicyGenTemplate 4 | metadata: 5 | name: "fe-lab" 6 | namespace: "fe-lab-policies" 7 | spec: 8 | bindingRules: 9 | siteName: "fe-lab" 10 | mcp: "master" 11 | sourceFiles: 12 | ## LocalStorage test 13 | - fileName: StorageLocalVolume.yaml 14 | policyName: "storage-policy" 15 | spec: 16 | storageClassDevices: 17 | - devicePaths: 18 | - /dev/nvme1n1p1 19 | - /dev/nvme1n1p2 20 | - /dev/nvme1n1p3 21 | - /dev/nvme1n1p4 22 | fsType: xfs 23 | storageClassName: fs-lso 24 | volumeMode: Filesystem 25 | - fileName: StorageClass.yaml 26 | policyName: "storage-policy" 27 | metadata: 28 | annotations: 29 | storageclass.kubernetes.io/is-default-class: "true" 30 | labels: 31 | local.storage.openshift.io/owner-name: ls-fs 32 | name: fs-lso 33 | ## InternalRegistry 34 | - fileName: ImageRegistryConfigPVC.yaml 35 | policyName: "image-registry-policy" 36 | metadata: 37 | name: registry-storage 38 | spec: 39 | accessModes: 40 | - ReadWriteOnce 41 | resources: 42 | requests: 43 | storage: 100Gi 44 | - fileName: ImageRegistryConfig.yaml 45 | policyName: "image-registry-policy" 46 | spec: 47 | storage: 48 | pvc: 49 | claim: 'registry-storage' 50 | ## SRIOV 51 | - fileName: SriovNetwork.yaml 52 | policyName: "sriov-config" 53 | metadata: 54 | name: "sriov-network-1" 55 | spec: 56 | resourceName: cvl-sriov-sno1 57 | vlan: 123 58 | spoofChk: "off" 59 | - fileName: SriovNetworkNodePolicy.yaml 60 | policyName: "sriov-config" 61 | metadata: 62 | name: "sriov-cvl-sno1-fh" 63 | spec: 64 | deviceType: vfio-pci 65 | isRdma: false 66 | nicSelector: 67 | pfNames: ["ens1f0#0-4"] 68 | numVfs: 10 69 | priority: 10 70 | resourceName: cvl_sno1 71 | - fileName: SriovNetworkNodePolicy.yaml 72 | policyName: "sriov-config" 73 | metadata: 74 | name: "sriov-cvl-1-sno1-netdevice" 75 | spec: 76 | deviceType: netdevice 77 | isRdma: false 78 | nicSelector: 79 | pfNames: ["ens1f0#5-9"] 80 | numVfs: 10 81 | priority: 10 82 | resourceName: cvl_sno1_net 83 | - fileName: SriovNetworkNodePolicy.yaml 84 | policyName: "sriov-config" 85 | metadata: 86 | name: "sriov-cvl-2-sno1-netdevice" 87 | spec: 88 | deviceType: vfio-pci 89 | isRdma: false 90 | nicSelector: 91 | pfNames: ["ens1f1"] 92 | numVfs: 8 93 | resourceName: cvl_2_sno1_net 94 | ## PAO 95 | - fileName: PerformanceProfile.yaml 96 | policyName: "perfprofile-policy" 97 | metadata: 98 | name: openshift-node-performance-profile 99 | spec: 100 | cpu: 101 | isolated: "3-31,35-63" 102 | reserved: "0-2,32-34" 103 | hugepages: 104 | defaultHugepagesSize: 1G 105 | pages: 106 | - size: 1G 107 | count: 10 108 | node: 0 109 | realTimeKernel: 110 | enabled: false 111 | - fileName: TunedPerformancePatch.yaml 112 | policyName: "tuned-perf-patch-policy" 113 | spec: 114 | profile: 115 | - name: performance-patch 116 | data: | 117 | [main] 118 | summary=Configuration changes profile inherited from performance created tuned 119 | include=openshift-node-performance-profile 120 | [bootloader] 121 | cmdline_crash=nohz_full=3-31,35-63 122 | [sysctl] 123 | kernel.timer_migration=1 124 | [service] 125 | service.stalld=start,enable 126 | -------------------------------------------------------------------------------- /sample-manifests/automation/rhacm-alone/cnf-operators/ptp/policy-ptp-operator.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: policy.open-cluster-management.io/v1 3 | kind: Policy 4 | metadata: 5 | name: policy-ptp-operator 6 | annotations: 7 | policy.open-cluster-management.io/standards: NIST SP 800-53 8 | policy.open-cluster-management.io/categories: CM Configuration Management 9 | policy.open-cluster-management.io/controls: CM-2 Baseline Configuration 10 | spec: 11 | remediationAction: enforce 12 | disabled: false 13 | policy-templates: 14 | - objectDefinition: 15 | apiVersion: policy.open-cluster-management.io/v1 16 | kind: ConfigurationPolicy 17 | metadata: 18 | name: policy-ptp-subscription 19 | spec: 20 | remediationAction: enforce # the policy-template spec.remediationAction is overridden by the preceding parameter value for spec.remediationAction. 21 | severity: low 22 | namespaceSelector: 23 | exclude: ["kube-*"] 24 | include: ["*"] 25 | object-templates: 26 | ## Disable Chrony 27 | - complianceType: musthave 28 | objectDefinition: 29 | apiVersion: tuned.openshift.io/v1 30 | kind: Tuned 31 | metadata: 32 | name: chrony-patch 33 | namespace: openshift-cluster-node-tuning-operator 34 | spec: 35 | profile: 36 | - data: | 37 | [main] 38 | summary=Configuration changes profile inherited from performance created tuned 39 | include=master-du-performance 40 | [service] 41 | service.chrony=stop,disable 42 | name: chrony-patch 43 | recommend: 44 | - machineConfigLabels: 45 | machineconfiguration.openshift.io/role: "worker-cnf" 46 | priority: 19 47 | profile: chrony-patch 48 | ## Namespace 49 | - complianceType: musthave 50 | objectDefinition: 51 | apiVersion: v1 52 | kind: Namespace 53 | metadata: 54 | name: openshift-ptp 55 | annotations: 56 | workload.openshift.io/allowed: management 57 | labels: 58 | openshift.io/cluster-monitoring: "true" 59 | ## OperatorGroup 60 | - complianceType: musthave 61 | objectDefinition: 62 | apiVersion: operators.coreos.com/v1 63 | kind: OperatorGroup 64 | metadata: 65 | name: ptp-operators 66 | namespace: openshift-ptp 67 | spec: 68 | targetNamespaces: 69 | - openshift-ptp 70 | ## Subscription 71 | - complianceType: musthave 72 | objectDefinition: 73 | apiVersion: operators.coreos.com/v1alpha1 74 | kind: Subscription 75 | metadata: 76 | name: ptp-operator-subscription 77 | namespace: openshift-ptp 78 | spec: 79 | channel: "4.8" 80 | name: ptp-operator 81 | source: "redhat-operator-index" 82 | sourceNamespace: openshift-marketplace 83 | --- 84 | apiVersion: policy.open-cluster-management.io/v1 85 | kind: PlacementBinding 86 | metadata: 87 | name: binding-policy-ptp 88 | placementRef: 89 | name: placement-policy-ptp 90 | kind: PlacementRule 91 | apiGroup: apps.open-cluster-management.io 92 | subjects: 93 | - name: policy-ptp-operator 94 | kind: Policy 95 | apiGroup: policy.open-cluster-management.io 96 | --- 97 | apiVersion: apps.open-cluster-management.io/v1 98 | kind: PlacementRule 99 | metadata: 100 | name: placement-policy-ptp 101 | spec: 102 | clusterConditions: 103 | - status: "True" 104 | type: ManagedClusterJoined 105 | clusterSelector: 106 | matchExpressions: 107 | - {key: ptp, operator: In, values: ["true"]} 108 | -------------------------------------------------------------------------------- /sample-manifests/automation/rhacm-alone/cnf-operators/catalogsources/policy-cs.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: policy.open-cluster-management.io/v1 3 | kind: Policy 4 | metadata: 5 | name: policy-catalogsources 6 | annotations: 7 | policy.open-cluster-management.io/standards: NIST SP 800-53 8 | policy.open-cluster-management.io/categories: CM Configuration Management 9 | policy.open-cluster-management.io/controls: CM-2 Baseline Configuration 10 | spec: 11 | remediationAction: enforce 12 | disabled: false 13 | policy-templates: 14 | ## Disable default internet Marketplace sources 15 | - objectDefinition: 16 | apiVersion: policy.open-cluster-management.io/v1 17 | kind: ConfigurationPolicy 18 | metadata: 19 | name: policy-wc-disabledefaultsources 20 | spec: 21 | remediationAction: enforce # the policy-template spec.remediationAction is overridden by the preceding parameter value for spec.remediationAction. 22 | severity: low 23 | namespaceSelector: 24 | exclude: ["kube-*"] 25 | include: ["*"] 26 | object-templates: 27 | - complianceType: musthave 28 | objectDefinition: 29 | apiVersion: config.openshift.io/v1 30 | kind: OperatorHub 31 | metadata: 32 | name: cluster 33 | annotations: 34 | include.release.openshift.io/ibm-cloud-managed: "true" 35 | include.release.openshift.io/self-managed-high-availability: "true" 36 | include.release.openshift.io/single-node-developer: "true" 37 | release.openshift.io/create-only: "true" 38 | spec: 39 | disableAllDefaultSources: true 40 | ## Enable CatalogSources for disconnected env 41 | - objectDefinition: 42 | apiVersion: policy.open-cluster-management.io/v1 43 | kind: ConfigurationPolicy 44 | metadata: 45 | name: policy-wc-bastion1-catalogsources 46 | spec: 47 | remediationAction: enforce # the policy-template spec.remediationAction is overridden by the preceding parameter value for spec.remediationAction. 48 | severity: low 49 | namespaceSelector: 50 | exclude: ["kube-*"] 51 | include: ["*"] 52 | object-templates: 53 | - complianceType: musthave 54 | objectDefinition: 55 | apiVersion: operators.coreos.com/v1alpha1 56 | kind: CatalogSource 57 | metadata: 58 | name: community-operator-index 59 | namespace: openshift-marketplace 60 | spec: 61 | image: bm-cluster-1-hyper.e2e.bos.redhat.com:5000/olm/olm-index-community-operator-index:v4.8 62 | sourceType: grpc 63 | displayName: WC Lab - Community 64 | publisher: wclab 65 | updateStrategy: 66 | registryPoll: 67 | interval: 30m 68 | - complianceType: musthave 69 | objectDefinition: 70 | apiVersion: operators.coreos.com/v1alpha1 71 | kind: CatalogSource 72 | metadata: 73 | name: redhat-operator-index 74 | namespace: openshift-marketplace 75 | spec: 76 | image: bm-cluster-1-hyper.e2e.bos.redhat.com:5000/olm/olm-index-redhat-operator-index:v4.8 77 | sourceType: grpc 78 | displayName: WC Lab - RedHat 79 | publisher: wclab 80 | updateStrategy: 81 | registryPoll: 82 | interval: 30m 83 | --- 84 | apiVersion: policy.open-cluster-management.io/v1 85 | kind: PlacementBinding 86 | metadata: 87 | name: binding-policy-cs 88 | placementRef: 89 | name: placement-policy-cs 90 | kind: PlacementRule 91 | apiGroup: apps.open-cluster-management.io 92 | subjects: 93 | - name: policy-catalogsources 94 | kind: Policy 95 | apiGroup: policy.open-cluster-management.io 96 | --- 97 | apiVersion: apps.open-cluster-management.io/v1 98 | kind: PlacementRule 99 | metadata: 100 | name: placement-policy-cs 101 | spec: 102 | clusterConditions: 103 | - status: "True" 104 | type: ManagedClusterJoined 105 | clusterSelector: 106 | matchExpressions: 107 | - {key: infra, operator: In, values: ["faregde"]} 108 | -------------------------------------------------------------------------------- /sample-manifests/automation/rhacm-alone/cnf-configs/pao/policy-pao48-profile-hp.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: policy.open-cluster-management.io/v1 3 | kind: Policy 4 | metadata: 5 | name: policy-pao-profile-hp 6 | annotations: 7 | policy.open-cluster-management.io/standards: NIST SP 800-53 8 | policy.open-cluster-management.io/categories: CM Configuration Management 9 | policy.open-cluster-management.io/controls: CM-2 Baseline Configuration 10 | spec: 11 | remediationAction: enforce 12 | disabled: false 13 | policy-templates: 14 | - objectDefinition: 15 | ## PAO Profile 16 | apiVersion: policy.open-cluster-management.io/v1 17 | kind: ConfigurationPolicy 18 | metadata: 19 | name: policy-pao-profile-hp 20 | spec: 21 | remediationAction: enforce 22 | severity: low 23 | namespaceSelector: 24 | exclude: ["kube-*"] 25 | include: ["*"] 26 | object-templates: 27 | - complianceType: musthave 28 | objectDefinition: 29 | apiVersion: performance.openshift.io/v1 30 | kind: PerformanceProfile 31 | metadata: 32 | name: master-du-performance-hp 33 | spec: 34 | additionalKernelArgs: 35 | - "idle=poll" 36 | cpu: 37 | isolated: 3-31,35-63 38 | reserved: 0-2,32-34 39 | hugepages: 40 | defaultHugepagesSize: "1G" 41 | pages: 42 | - size: "1G" 43 | count: 10 44 | node: 0 45 | machineConfigPoolSelector: 46 | pools.operator.machineconfiguration.openshift.io/master: "" 47 | net: 48 | userLevelNetworking: true 49 | nodeSelector: 50 | node-role.kubernetes.io/master: '' 51 | numa: 52 | topologyPolicy: "restricted" 53 | realTimeKernel: 54 | enabled: false 55 | - objectDefinition: 56 | ## Tuned Patch 57 | apiVersion: policy.open-cluster-management.io/v1 58 | kind: ConfigurationPolicy 59 | metadata: 60 | name: policy-pao-tuned-profile-hp 61 | spec: 62 | remediationAction: enforce 63 | severity: low 64 | namespaceSelector: 65 | exclude: ["kube-*"] 66 | include: ["*"] 67 | object-templates: 68 | - complianceType: musthave 69 | objectDefinition: 70 | apiVersion: tuned.openshift.io/v1 71 | kind: Tuned 72 | metadata: 73 | name: performance-patch-hp 74 | namespace: openshift-cluster-node-tuning-operator 75 | spec: 76 | profile: 77 | - name: performance-patch 78 | data: | 79 | [main] 80 | summary=Configuration changes profile inherited from performance created tuned 81 | include=master-du-performance-hp 82 | [bootloader] 83 | cmdline_crash=nohz_full=3-31,35-63 84 | [sysctl] 85 | kernel.timer_migration=1 86 | [service] 87 | service.stalld=start,enable 88 | recommend: 89 | - machineConfigLabels: 90 | machineconfiguration.openshift.io/role: "master" 91 | priority: 19 92 | profile: performance-patch 93 | --- 94 | apiVersion: policy.open-cluster-management.io/v1 95 | kind: PlacementBinding 96 | metadata: 97 | name: binding-policy-pao-hp 98 | placementRef: 99 | name: placement-policy-pao-profile-hp 100 | kind: PlacementRule 101 | apiGroup: apps.open-cluster-management.io 102 | subjects: 103 | - name: policy-pao-profile-hp 104 | kind: Policy 105 | apiGroup: policy.open-cluster-management.io 106 | --- 107 | apiVersion: apps.open-cluster-management.io/v1 108 | kind: PlacementRule 109 | metadata: 110 | name: placement-policy-pao-profile-hp 111 | spec: 112 | clusterConditions: 113 | - status: "True" 114 | type: ManagedClusterJoined 115 | clusterSelector: 116 | matchExpressions: 117 | - {key: pao, operator: In, values: ["true"]} 118 | - {key: server, operator: In, values: ["HP"]} 119 | -------------------------------------------------------------------------------- /sample-manifests/automation/rhacm-alone/cnf-configs/pao/policy-pao48-profile-dell.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: policy.open-cluster-management.io/v1 3 | kind: Policy 4 | metadata: 5 | name: policy-pao-profile-dell 6 | annotations: 7 | policy.open-cluster-management.io/standards: NIST SP 800-53 8 | policy.open-cluster-management.io/categories: CM Configuration Management 9 | policy.open-cluster-management.io/controls: CM-2 Baseline Configuration 10 | spec: 11 | remediationAction: enforce 12 | disabled: false 13 | policy-templates: 14 | - objectDefinition: 15 | ## PAO Profile 16 | apiVersion: policy.open-cluster-management.io/v1 17 | kind: ConfigurationPolicy 18 | metadata: 19 | name: policy-pao-profile-dell 20 | spec: 21 | remediationAction: enforce 22 | severity: low 23 | namespaceSelector: 24 | exclude: ["kube-*"] 25 | include: ["*"] 26 | object-templates: 27 | - complianceType: musthave 28 | objectDefinition: 29 | apiVersion: performance.openshift.io/v1 30 | kind: PerformanceProfile 31 | metadata: 32 | name: master-du-performance-dell 33 | spec: 34 | additionalKernelArgs: 35 | - "idle=poll" 36 | cpu: 37 | isolated: 3-31,35-63 38 | reserved: 0-2,32-34 39 | hugepages: 40 | defaultHugepagesSize: "1G" 41 | pages: 42 | - size: "1G" 43 | count: 10 44 | node: 0 45 | machineConfigPoolSelector: 46 | pools.operator.machineconfiguration.openshift.io/master: "" 47 | net: 48 | userLevelNetworking: true 49 | nodeSelector: 50 | node-role.kubernetes.io/master: '' 51 | numa: 52 | topologyPolicy: "restricted" 53 | realTimeKernel: 54 | enabled: false 55 | - objectDefinition: 56 | ## Tuned Patch 57 | apiVersion: policy.open-cluster-management.io/v1 58 | kind: ConfigurationPolicy 59 | metadata: 60 | name: policy-pao-tuned-profile-dell 61 | spec: 62 | remediationAction: enforce 63 | severity: low 64 | namespaceSelector: 65 | exclude: ["kube-*"] 66 | include: ["*"] 67 | object-templates: 68 | - complianceType: musthave 69 | objectDefinition: 70 | apiVersion: tuned.openshift.io/v1 71 | kind: Tuned 72 | metadata: 73 | name: performance-patch-dell 74 | namespace: openshift-cluster-node-tuning-operator 75 | spec: 76 | profile: 77 | - name: performance-patch 78 | data: | 79 | [main] 80 | summary=Configuration changes profile inherited from performance created tuned 81 | include=master-du-performance-dell 82 | [bootloader] 83 | cmdline_crash=nohz_full=3-31,35-63 84 | [sysctl] 85 | kernel.timer_migration=1 86 | [service] 87 | service.stalld=start,enable 88 | recommend: 89 | - machineConfigLabels: 90 | machineconfiguration.openshift.io/role: "master" 91 | priority: 19 92 | profile: performance-patch 93 | --- 94 | apiVersion: policy.open-cluster-management.io/v1 95 | kind: PlacementBinding 96 | metadata: 97 | name: binding-policy-pao-dell 98 | placementRef: 99 | name: placement-policy-pao-profile-dell 100 | kind: PlacementRule 101 | apiGroup: apps.open-cluster-management.io 102 | subjects: 103 | - name: policy-pao-profile-dell 104 | kind: Policy 105 | apiGroup: policy.open-cluster-management.io 106 | --- 107 | apiVersion: apps.open-cluster-management.io/v1 108 | kind: PlacementRule 109 | metadata: 110 | name: placement-policy-pao-profile-dell 111 | spec: 112 | clusterConditions: 113 | - status: "True" 114 | type: ManagedClusterJoined 115 | clusterSelector: 116 | matchExpressions: 117 | - {key: pao, operator: In, values: ["true"]} 118 | - {key: server, operator: In, values: ["Dell"]} 119 | -------------------------------------------------------------------------------- /tools/mirror-ocp-full.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Variables 4 | export PULL_SECRET_JSON=/home/kni/jparrill/pull_secret.json 5 | export LOCAL_REGISTRY=$(hostname):5000 6 | export LOCAL_REPOSITORY=ocp4 7 | export OCP_RELEASE=4.8.12-x86_64 8 | export OCP_REGISTRY=quay.io/openshift-release-dev/ocp-release 9 | 10 | # Functional 11 | function ocp_mirror_release() { 12 | echo "----> Mirroring OCP Release: ${OCP_RELEASE}" 13 | oc adm -a ${PULL_SECRET_JSON} release mirror \ 14 | --from=${OCP_REGISTRY}:${OCP_RELEASE} \ 15 | --to=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY} \ 16 | --to-release-image=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE} 17 | } 18 | 19 | function download_oc_client() { 20 | echo "----> Downloading OC Client" 21 | oc adm --registry-config ${PULL_SECRET_JSON} release extract \ 22 | --command=oc \ 23 | --from=${OCP_REGISTRY}:${OCP_RELEASE} \ 24 | --to . 25 | 26 | if [[ ! -f oc ]]; then 27 | echo "OC Client wasn't extracted, exiting..." 28 | exit 1 29 | fi 30 | 31 | mv oc /home/kni/bin/oc 32 | } 33 | 34 | function download_ipi_installer() { 35 | echo "----> Downloading IPI Installer" 36 | oc adm --registry-config ${PULL_SECRET_JSON} release extract \ 37 | --command=openshift-baremetal-install \ 38 | --from=${OCP_REGISTRY}:${OCP_RELEASE} \ 39 | --to . 40 | 41 | if [[ ! -f openshift-baremetal-install ]]; then 42 | echo "OCP Installer wasn't extracted, exiting..." 43 | exit 1 44 | fi 45 | 46 | sudo mv openshift-baremetal-install /usr/bin/openshift-baremetal-install 47 | } 48 | 49 | function download_rhcos() { 50 | export RHCOS_VERSION=$(openshift-baremetal-install coreos print-stream-json | jq -r '.["architectures"]["x86_64"]["artifacts"]["metal"]["release"]') 51 | export RHCOS_ISO_URI=$(openshift-baremetal-install coreos print-stream-json | jq -r '.["architectures"]["x86_64"]["artifacts"]["metal"]["formats"]["iso"]["disk"]["location"]') 52 | export RHCOS_ROOT_FS=$(openshift-baremetal-install coreos print-stream-json | jq -r '.["architectures"]["x86_64"]["artifacts"]["metal"]["formats"]["pxe"]["rootfs"]["location"]') 53 | export RHCOS_QEMU_URI=$(openshift-baremetal-install coreos print-stream-json | jq -r '.["architectures"]["x86_64"]["artifacts"]["qemu"]["formats"]["qcow2.gz"]["disk"]["location"]') 54 | export RHCOS_QEMU_SHA_UNCOMPRESSED=$(openshift-baremetal-install coreos print-stream-json | jq -r '.["architectures"]["x86_64"]["artifacts"]["qemu"]["formats"]["qcow2.gz"]["disk"]["uncompressed-sha256"]') 55 | export RHCOS_OPENSTACK_URI=$(openshift-baremetal-install coreos print-stream-json | jq -r '.["architectures"]["x86_64"]["artifacts"]["openstack"]["formats"]["qcow2.gz"]["disk"]["location"]') 56 | export RHCOS_OPENSTACK_SHA_COMPRESSED=$(openshift-baremetal-install coreos print-stream-json | jq -r '.["architectures"]["x86_64"]["artifacts"]["openstack"]["formats"]["qcow2.gz"]["disk"]["sha256"]') 57 | export OCP_RELEASE_DOWN_PATH=/var/www/html/$OCP_RELEASE 58 | 59 | echo "RHCOS_VERSION: $RHCOS_VERSION" 60 | echo "RHCOS_OPENSTACK_URI: $RHCOS_OPENSTACK_URI" 61 | echo "RHCOS_OPENSTACK_SHA_COMPRESSED: ${RHCOS_OPENSTACK_SHA_COMPRESSED}" 62 | echo "RHCOS_QEMU_URI: $RHCOS_QEMU_URI" 63 | echo "RHCOS_QEMU_SHA_UNCOMPRESSED: $RHCOS_QEMU_SHA_UNCOMPRESSED" 64 | echo "RHCOS_ISO_URI: $RHCOS_ISO_URI" 65 | echo "RHCOS_ROOT_FS: $RHCOS_ROOT_FS" 66 | echo "Press Enter to continue or Ctrl-C to cancel download" 67 | read 68 | 69 | if [[ ! -d ${OCP_RELEASE_DOWN_PATH} ]]; then 70 | echo "----> Downloading RHCOS resources to ${OCP_RELEASE_DOWN_PATH}" 71 | sudo mkdir -p ${OCP_RELEASE_DOWN_PATH} 72 | echo "--> Downloading RHCOS resources: RHCOS QEMU Image" 73 | sudo curl -s -L -o ${OCP_RELEASE_DOWN_PATH}/$(echo $RHCOS_QEMU_URI | xargs basename) ${RHCOS_QEMU_URI} 74 | echo "--> Downloading RHCOS resources: RHCOS Openstack Image" 75 | sudo curl -s -L -o ${OCP_RELEASE_DOWN_PATH}/$(echo $RHCOS_OPENSTACK_URI | xargs basename) ${RHCOS_OPENSTACK_URI} 76 | echo "--> Downloading RHCOS resources: RHCOS ISO" 77 | sudo curl -s -L -o ${OCP_RELEASE_DOWN_PATH}/$(echo $RHCOS_ISO_URI | xargs basename) ${RHCOS_ISO_URI} 78 | echo "--> Downloading RHCOS resources: RHCOS RootFS" 79 | sudo curl -s -L -o ${OCP_RELEASE_DOWN_PATH}/$(echo $RHCOS_ROOT_FS | xargs basename) ${RHCOS_ROOT_FS} 80 | else 81 | echo "The folder already exist, so delete it if you want to re-download the RHCOS resources" 82 | fi 83 | } 84 | 85 | function format_images_config() { 86 | echo """ 87 | Add the following to install-config.yaml 88 | 89 | bootstrapOSImage: http://$(hostname --long)/$OCP_RELEASE/${RHCOS_QEMU_URI##*/}?sha256=$RHCOS_QEMU_SHA_UNCOMPRESSED 90 | clusterOSImage: http://$(hostname --long)/$OCP_RELEASE/${RHCOS_OPENSTACK_URI##*/}?sha256=$RHCOS_OPENSTACK_SHA_COMPRESSED 91 | """ 92 | } 93 | 94 | download_oc_client 95 | download_ipi_installer 96 | ocp_mirror_release 97 | download_rhcos 98 | format_images_config 99 | -------------------------------------------------------------------------------- /sample-manifests/automation/rhacm-alone/acm-prereqs/03_disconnected_mirror_config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: bastion1-mirror-config 6 | namespace: open-cluster-management 7 | labels: 8 | app: assisted-service 9 | data: 10 | ca-bundle.crt: | 11 | -----BEGIN CERTIFICATE----- 12 | MIIF/DCCA+SgAwIBAgIUI6a544evhLskRL/w79eaC1j+EZ4wDQYJKoZIhvcNAQEL 13 | j+cVlB0lDE57HQD7dawka7OP5TF6dkPX3d4qyyGBrOdJKIjFJjX3E1b7PEZn1aqC 14 | nqySFO3wLuvEuWQdwRUzZY3Vos3GVAEUaW5S9BFzItSO3RdOgVfDz/pZ7sMlM8hH 15 | ... 16 | ... 17 | vFkaSKruu4bae8+uXgCgHrg7F+be2Pd5Df0MhlgghEF+BZqLwYrSpFv+Kg4sofK5 18 | pk4nMiwxMuNeWthp3ifPZMxqUdKq4dtA7yELtzbvLngudE7TBdAosbLzfGgmTBU8 19 | ... 20 | ... 21 | Cuktgd+6WuwjGd4GZUOKuITJa5jr0Wspvh4Xliu96w8S2RyXtJb2tJ8ovrbumd0L 22 | EDGUSvSEKyzPhXKiLnRpwzJGQGPzlJRp1biV9S1sSz4l1Tb5UOLj6MO1JdbnxU2z 23 | ... 24 | GGHK/pSiLQMR5gXAc7psis1U/S9RqDp6mMIgaS+QfPrVYKNGJDF2Bcp0XMv/Py2P 25 | 2wjeGrxHzg9ODMGfIyY/rjppDvR+QVFiOOfZPIQqQY/xjESaica0rJRf3ZV5cJCc 26 | -----END CERTIFICATE----- 27 | registries.conf: | 28 | unqualified-search-registries = ["registry.access.redhat.com", "docker.io"] 29 | 30 | [[registry]] 31 | prefix = "" 32 | location = "quay.io/acm-d" 33 | mirror-by-digest-only = true 34 | 35 | [[registry.mirror]] 36 | location = "bm-cluster-1-hyper.e2e.bos.redhat.com:5000/rhacm2" 37 | 38 | [[registry]] 39 | prefix = "" 40 | location = "quay.io/ocpmetal" 41 | mirror-by-digest-only = true 42 | 43 | [[registry.mirror]] 44 | location = "bm-cluster-1-hyper.e2e.bos.redhat.com:5000/ocpmetal" 45 | 46 | [[registry]] 47 | prefix = "" 48 | location = "quay.io/openshift-community-operators/hive-operator" 49 | mirror-by-digest-only = true 50 | 51 | [[registry.mirror]] 52 | location = "bm-cluster-1-hyper.e2e.bos.redhat.com:5000/olm/openshift-community-operators-hive-operator" 53 | 54 | [[registry]] 55 | prefix = "" 56 | location = "quay.io/openshift-hive/hive" 57 | mirror-by-digest-only = true 58 | 59 | [[registry.mirror]] 60 | location = "bm-cluster-1-hyper.e2e.bos.redhat.com:5000/olm/openshift-hive-hive" 61 | 62 | [[registry]] 63 | prefix = "" 64 | location = "quay.io/openshift-release-dev/ocp-release" 65 | mirror-by-digest-only = true 66 | 67 | [[registry.mirror]] 68 | location = "bm-cluster-1-hyper.e2e.bos.redhat.com:5000/ocp4" 69 | 70 | [[registry]] 71 | prefix = "" 72 | location = "quay.io/openshift-release-dev/ocp-v4.0-art-dev" 73 | mirror-by-digest-only = true 74 | 75 | [[registry.mirror]] 76 | location = "bm-cluster-1-hyper.e2e.bos.redhat.com:5000/ocp4" 77 | 78 | [[registry]] 79 | prefix = "" 80 | location = "quay.io:443/acm-d" 81 | mirror-by-digest-only = true 82 | 83 | [[registry.mirror]] 84 | location = "bm-cluster-1-hyper.e2e.bos.redhat.com:5000/rhacm2" 85 | 86 | [[registry]] 87 | prefix = "" 88 | location = "registry.redhat.io/openshift4" 89 | mirror-by-digest-only = true 90 | 91 | [[registry.mirror]] 92 | location = "bm-cluster-1-hyper.e2e.bos.redhat.com:5000/openshift4" 93 | 94 | [[registry]] 95 | prefix = "" 96 | location = "registry.redhat.io/openshift4/ose-local-storage-diskmaker" 97 | mirror-by-digest-only = true 98 | 99 | [[registry.mirror]] 100 | location = "bm-cluster-1-hyper.e2e.bos.redhat.com:5000/olm/openshift4-ose-local-storage-diskmaker" 101 | 102 | [[registry]] 103 | prefix = "" 104 | location = "registry.redhat.io/openshift4/ose-local-storage-operator" 105 | mirror-by-digest-only = true 106 | 107 | [[registry.mirror]] 108 | location = "bm-cluster-1-hyper.e2e.bos.redhat.com:5000/olm/openshift4-ose-local-storage-operator" 109 | 110 | [[registry]] 111 | prefix = "" 112 | location = "registry.redhat.io/openshift4/ose-local-storage-operator-bundle" 113 | mirror-by-digest-only = true 114 | 115 | [[registry.mirror]] 116 | location = "bm-cluster-1-hyper.e2e.bos.redhat.com:5000/olm/openshift4-ose-local-storage-operator-bundle" 117 | 118 | [[registry]] 119 | prefix = "" 120 | location = "registry.redhat.io/openshift4/ose-local-storage-static-provisioner" 121 | mirror-by-digest-only = true 122 | 123 | [[registry.mirror]] 124 | location = "bm-cluster-1-hyper.e2e.bos.redhat.com:5000/olm/openshift4-ose-local-storage-static-provisioner" 125 | 126 | [[registry]] 127 | prefix = "" 128 | location = "registry.redhat.io/rhacm2" 129 | mirror-by-digest-only = true 130 | 131 | [[registry.mirror]] 132 | location = "bm-cluster-1-hyper.e2e.bos.redhat.com:5000/rhacm2" 133 | 134 | [[registry]] 135 | prefix = "" 136 | location = "registry.redhat.io/rhel8" 137 | mirror-by-digest-only = true 138 | 139 | [[registry.mirror]] 140 | location = "bm-cluster-1-hyper.e2e.bos.redhat.com:5000/rhel8" 141 | -------------------------------------------------------------------------------- /sample-manifests/hub/04_AI-Disconnected-MirrorConfig.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: hyper1-mirror-config 5 | namespace: open-cluster-management 6 | labels: 7 | app: assisted-service 8 | data: 9 | ca-bundle.crt: | 10 | -----BEGIN CERTIFICATE----- 11 | MIIGJzCCBA+gAwIBAgIUcuRdl0sEsCZMPWuE44snY/MLgcowDQYJKoZIhvcNAQEL 12 | BQAwgYgxCzAJBgNVBAYTAlVTMRYwFAYDVQQIDA1NYXNzYWNodXNldHRzMREwDwYD 13 | VQQHDAhXZXN0Zm9yZDEPMA0GA1UECgwGUmVkSGF0MQ0wCwYDVQQLDARNR01UMS4w 14 | LAYDVQQDDCVibS1jbHVzdGVyLTEtaHlwZXIuZTJlLmJvcy5yZWRoYXQuY29tMB4X 15 | DTIxMDUxOTA3NTA0N1oXDTMxMDUxNzA3NTA0N1owgYgxCzAJBgNVBAYTAlVTMRYw 16 | FAYDVQQIDA1NYXNzYWNodXNldHRzMREwDwYDVQQHDAhXZXN0Zm9yZDEPMA0GA1UE 17 | CgwGUmVkSGF0MQ0wCwYDVQQLDARNR01UMS4wLAYDVQQDDCVibS1jbHVzdGVyLTEt 18 | aHlwZXIuZTJlLmJvcy5yZWRoYXQuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8A 19 | MIICCgKCAgEA4hNqMmnZ+OLqNOittlCo+9xP2jKn5z4X4GzsDhlAfDXEsDUEX6+F 20 | hf8wUF82gpI8B3dDtPn30lH/YcKS7H4BH2Ah5KGEcp7gmB29sj8meNW6Wn3F2JyY 21 | jN2iCvvqFWyarkYfwDRLTy/GZUI/M1cj/iCSikUcwxHRP26Fl9x4xjvUDY4ouFTS 22 | OL/65iUK59xPsYcjnSiSzzVBq6AxIRoH12XTvZY9h1pP8fjtOn3n4DglZm4AvOD2 23 | 0ws+eIsiIGY2FMh0FKtqUuWQgeIvPzGP1hj1KbTLeshL8FIzmHYQAD1kV6+z+NA4 24 | Llu/iXIIdWmuSDtBEtm8WPqoXZSNT7RgyeLzTvkI2P7OCDpSJEkGIAmKPT6cK5yP 25 | aoeVG2NhzTmZNU4hERLLvXD+3IzJ+F0XFEHq+alru8mbtevpfYcK1cx0zFULA2f2 26 | +t/hSxA+XiOhNycbgcLha++E0/OoDHZ+DjvCy4nJeaGteaqo/YsyJjYp/tP50oAv 27 | O8o6H+UwdOByXyhFmdu77tx5BhHeoLh6hKIiw92E2CeUz2dOyG55g7AxZ56jHOHW 28 | 1llMoXWeKJqyCIgiML9wcupeiBAbb+aOYpf2TCBKVGn++8ktsEs+gT7qPLOUbOBj 29 | iKAcQApT2OziB2G+43hQTfz3AsahqnfZCpkT6UlFelaGz2rWGxjDxLcCAwEAAaOB 30 | hjCBgzAdBgNVHQ4EFgQU4dDHguCMr/BS6ud0pztEpJDyDRMwHwYDVR0jBBgwFoAU 31 | 4dDHguCMr/BS6ud0pztEpJDyDRMwDwYDVR0TAQH/BAUwAwEB/zAwBgNVHREEKTAn 32 | giVibS1jbHVzdGVyLTEtaHlwZXIuZTJlLmJvcy5yZWRoYXQuY29tMA0GCSqGSIb3 33 | DQEBCwUAA4ICAQBBcuKEYpBUV4kjVNKq5p5ypkzbY5O8M95q5YXSVIoRDF+28D+q 34 | mJ8q65D4VeYZukAqTuW00yt+mmHBYfFwA0sWTC+HuFeHkeKQCOGL6GxYdH98zM1K 35 | 4NFjyY3nrOs/uJ4xIE33gxJ3hK1ULoZJY0747ZbB0vykodiscb7FnOZg4Uc3XBfS 36 | uDNS2CdpoN5ZLIsCwnLOmUWiVL0IrmbjhRj1qQgR4ysFu7wzLUKlOMvng2HOvC5e 37 | XPEyJV8fA4LS+x5fDRS2fZHnUQHv6/OxHSrvgOjdcJYnn8BNYizgLLhJ5zT2VXsl 38 | nU8Y7ybbVgczs8NOELywpGVLNFF03+9Qm2nbCFySNT3EYQesaj708mhSXSWN4fiO 39 | 10sLwl74953KZ3l/dzCudoyD3c6SOnYafAUOPitrTnTYFhLsT1dI0G4Ir5eS+lSn 40 | FJA2LdBJEBGQgIaNgzGWEvj6NvXMZqeAGGKSxV6faiwY3KVj/3FX6dJ15NZP3/eh 41 | 2dj3p8cKkPxDmg6WRkEOTjVL7Gmi/VAItsq8HMBYTGmEOvjDw45CdvMgNzQF8Ul7 42 | GGfmDnicADMISxGIDnfhPUf+GllZtEn8D+c6WyfnDQMfqy9A56stxHWmwdlTf+UM 43 | 6Rf1YNZC6XaR2GzJTz8mdiyG4L/cG6um65TigWOjaAOfD5ecei+d0maqmw== 44 | -----END CERTIFICATE----- 45 | registries.conf: | 46 | unqualified-search-registries = ["registry.access.redhat.com", "docker.io"] 47 | 48 | [[registry]] 49 | prefix = "" 50 | location = "quay.io/acm-d" 51 | mirror-by-digest-only = true 52 | 53 | [[registry.mirror]] 54 | location = "bm-cluster-1-hyper.e2e.bos.redhat.com:5000/rhacm2" 55 | 56 | [[registry]] 57 | prefix = "" 58 | location = "quay.io/ocpmetal" 59 | mirror-by-digest-only = true 60 | 61 | [[registry.mirror]] 62 | location = "bm-cluster-1-hyper.e2e.bos.redhat.com:5000/ocpmetal" 63 | 64 | [[registry]] 65 | prefix = "" 66 | location = "quay.io/openshift-community-operators/hive-operator" 67 | mirror-by-digest-only = true 68 | 69 | [[registry.mirror]] 70 | location = "bm-cluster-1-hyper.e2e.bos.redhat.com:5000/olm/openshift-community-operators-hive-operator" 71 | 72 | [[registry]] 73 | prefix = "" 74 | location = "quay.io/openshift-hive/hive" 75 | mirror-by-digest-only = true 76 | 77 | [[registry.mirror]] 78 | location = "bm-cluster-1-hyper.e2e.bos.redhat.com:5000/olm/openshift-hive-hive" 79 | 80 | [[registry]] 81 | prefix = "" 82 | location = "quay.io/openshift-release-dev/ocp-release" 83 | mirror-by-digest-only = true 84 | 85 | [[registry.mirror]] 86 | location = "bm-cluster-1-hyper.e2e.bos.redhat.com:5000/ocp4" 87 | 88 | [[registry]] 89 | prefix = "" 90 | location = "quay.io/openshift-release-dev/ocp-v4.0-art-dev" 91 | mirror-by-digest-only = true 92 | 93 | [[registry.mirror]] 94 | location = "bm-cluster-1-hyper.e2e.bos.redhat.com:5000/ocp4" 95 | 96 | [[registry]] 97 | prefix = "" 98 | location = "quay.io:443/acm-d" 99 | mirror-by-digest-only = true 100 | 101 | [[registry.mirror]] 102 | location = "bm-cluster-1-hyper.e2e.bos.redhat.com:5000/rhacm2" 103 | 104 | [[registry]] 105 | prefix = "" 106 | location = "registry.redhat.io/openshift4" 107 | mirror-by-digest-only = true 108 | 109 | [[registry.mirror]] 110 | location = "bm-cluster-1-hyper.e2e.bos.redhat.com:5000/openshift4" 111 | 112 | [[registry]] 113 | prefix = "" 114 | location = "registry.redhat.io/openshift4/ose-local-storage-diskmaker" 115 | mirror-by-digest-only = true 116 | 117 | [[registry.mirror]] 118 | location = "bm-cluster-1-hyper.e2e.bos.redhat.com:5000/olm/openshift4-ose-local-storage-diskmaker" 119 | 120 | [[registry]] 121 | prefix = "" 122 | location = "registry.redhat.io/openshift4/ose-local-storage-operator" 123 | mirror-by-digest-only = true 124 | 125 | [[registry.mirror]] 126 | location = "bm-cluster-1-hyper.e2e.bos.redhat.com:5000/olm/openshift4-ose-local-storage-operator" 127 | 128 | [[registry]] 129 | prefix = "" 130 | location = "registry.redhat.io/openshift4/ose-local-storage-operator-bundle" 131 | mirror-by-digest-only = true 132 | 133 | [[registry.mirror]] 134 | location = "bm-cluster-1-hyper.e2e.bos.redhat.com:5000/olm/openshift4-ose-local-storage-operator-bundle" 135 | 136 | [[registry]] 137 | prefix = "" 138 | location = "registry.redhat.io/openshift4/ose-local-storage-static-provisioner" 139 | mirror-by-digest-only = true 140 | 141 | [[registry.mirror]] 142 | location = "bm-cluster-1-hyper.e2e.bos.redhat.com:5000/olm/openshift4-ose-local-storage-static-provisioner" 143 | 144 | [[registry]] 145 | prefix = "" 146 | location = "registry.redhat.io/rhacm2" 147 | mirror-by-digest-only = true 148 | 149 | [[registry.mirror]] 150 | location = "bm-cluster-1-hyper.e2e.bos.redhat.com:5000/rhacm2" 151 | 152 | [[registry]] 153 | prefix = "" 154 | location = "registry.redhat.io/rhel8" 155 | mirror-by-digest-only = true 156 | 157 | [[registry.mirror]] 158 | location = "bm-cluster-1-hyper.e2e.bos.redhat.com:5000/rhel8" 159 | -------------------------------------------------------------------------------- /sample-manifests/automation/rhacm-alone/cnf-configs/ptp/policy-ptp-profile.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: policy.open-cluster-management.io/v1 3 | kind: Policy 4 | metadata: 5 | name: policy-ptp-slave-profile 6 | annotations: 7 | policy.open-cluster-management.io/standards: NIST SP 800-53 8 | policy.open-cluster-management.io/categories: CM Configuration Management 9 | policy.open-cluster-management.io/controls: CM-2 Baseline Configuration 10 | spec: 11 | remediationAction: enforce 12 | disabled: false 13 | policy-templates: 14 | - objectDefinition: 15 | ## PTP Slave Profile 16 | apiVersion: policy.open-cluster-management.io/v1 17 | kind: ConfigurationPolicy 18 | metadata: 19 | name: policy-ptp-slave-profile 20 | spec: 21 | remediationAction: enforce 22 | severity: low 23 | namespaceSelector: 24 | exclude: ["kube-*"] 25 | include: ["*"] 26 | object-templates: 27 | - complianceType: musthave 28 | objectDefinition: 29 | apiVersion: ptp.openshift.io/v1 30 | kind: PtpConfig 31 | metadata: 32 | name: slave 33 | namespace: openshift-ptp 34 | spec: 35 | profile: 36 | - name: "slave" 37 | interface: "ens1f0" 38 | ptp4lOpts: "-s -2 --summary_interval -4" 39 | phc2sysOpts: "-a -r -n 24" 40 | ptp4lConf: | 41 | [global] 42 | # 43 | # Default Data Set 44 | # 45 | twoStepFlag 1 46 | slaveOnly 0 47 | priority1 128 48 | priority2 90 49 | domainNumber 24 50 | #utc_offset 37 51 | clockClass 248 52 | clockAccuracy 0xFE 53 | offsetScaledLogVariance 0xFFFF 54 | free_running 0 55 | freq_est_interval 1 56 | dscp_event 0 57 | dscp_general 0 58 | dataset_comparison ieee1588 59 | G.8275.defaultDS.localPriority 200 60 | # 61 | # Port Data Set 62 | # 63 | logAnnounceInterval -3 64 | logSyncInterval -4 65 | logMinDelayReqInterval -4 66 | logMinPdelayReqInterval -4 67 | announceReceiptTimeout 3 68 | syncReceiptTimeout 0 69 | delayAsymmetry 0 70 | fault_reset_interval -128 71 | neighborPropDelayThresh 20000000 72 | masterOnly 0 73 | G.8275.portDS.localPriority 200 74 | # 75 | # Run time options 76 | # 77 | assume_two_step 0 78 | logging_level 6 79 | path_trace_enabled 0 80 | follow_up_info 0 81 | hybrid_e2e 0 82 | inhibit_multicast_service 0 83 | net_sync_monitor 0 84 | tc_spanning_tree 0 85 | tx_timestamp_timeout 1000 86 | unicast_listen 0 87 | unicast_master_table 0 88 | unicast_req_duration 3600 89 | use_syslog 1 90 | verbose 0 91 | summary_interval -4 92 | kernel_leap 1 93 | check_fup_sync 0 94 | # 95 | # Servo Options 96 | # 97 | pi_proportional_const 0.0 98 | pi_integral_const 0.0 99 | pi_proportional_scale 0.0 100 | pi_proportional_exponent -0.3 101 | pi_proportional_norm_max 0.7 102 | pi_integral_scale 0.0 103 | pi_integral_exponent 0.4 104 | pi_integral_norm_max 0.3 105 | step_threshold 0.0 106 | first_step_threshold 0.00002 107 | max_frequency 900000000 108 | clock_servo pi 109 | sanity_freq_limit 200000000 110 | ntpshm_segment 0 111 | # 112 | # Transport options 113 | # 114 | transportSpecific 0x0 115 | ptp_dst_mac 01:1B:19:00:00:00 116 | p2p_dst_mac 01:80:C2:00:00:0E 117 | udp_ttl 1 118 | udp6_scope 0x0E 119 | uds_address /var/run/ptp4l 120 | # 121 | # Default interface options 122 | # 123 | clock_type OC 124 | #network_transport UDPv4 125 | network_transport L2 126 | delay_mechanism E2E 127 | time_stamping hardware 128 | tsproc_mode filter 129 | delay_filter moving_median 130 | delay_filter_length 10 131 | egressLatency 0 132 | ingressLatency 0 133 | boundary_clock_jbod 0 134 | # 135 | # Clock description 136 | # 137 | productDescription ;; 138 | revisionData ;; 139 | manufacturerIdentity 00:00:00 140 | userDescription ; 141 | timeSource 0xA0 142 | recommend: 143 | - profile: "slave" 144 | priority: 4 145 | match: 146 | - nodeLabel: "node-role.kubernetes.io/master" 147 | --- 148 | apiVersion: policy.open-cluster-management.io/v1 149 | kind: PlacementBinding 150 | metadata: 151 | name: binding-policy-ptp 152 | placementRef: 153 | name: placement-policy-ptp-profile 154 | kind: PlacementRule 155 | apiGroup: apps.open-cluster-management.io 156 | subjects: 157 | - name: policy-ptp-slave-profile 158 | kind: Policy 159 | apiGroup: policy.open-cluster-management.io 160 | --- 161 | apiVersion: apps.open-cluster-management.io/v1 162 | kind: PlacementRule 163 | metadata: 164 | name: placement-policy-ptp-profile 165 | spec: 166 | clusterConditions: 167 | - status: "True" 168 | type: ManagedClusterJoined 169 | clusterSelector: 170 | matchExpressions: 171 | - {key: ptp, operator: In, values: ["true"]} 172 | -------------------------------------------------------------------------------- /docs/prerequirements/host-internal-resources.md: -------------------------------------------------------------------------------- 1 | Table of contents: 2 | 3 | 4 | 5 | - [Host Internal resources](#host-internal-resources) 6 | - [HTTPD Server deployment and Configuration](#httpd-server-deployment-and-configuration) 7 | - [Internal Registry Deployment and Configuration](#internal-registry-deployment-and-configuration) 8 | - [Download the desired OpenShift ISO and RootFS](#download-the-desired-openshift-iso-and-rootfs) 9 | 10 | 11 | 12 | # Host Internal resources 13 | 14 | In this section we will cover: 15 | 16 | - HTTPD Server deployment and Configuration 17 | - Internal Registry Deployment and Configuration 18 | - Download the desired OpenShift ISOs and host them 19 | 20 | ## HTTPD Server deployment and Configuration 21 | 22 | For that it's a quite easy step, we just need to install the HTTPD server and raise up the service: 23 | 24 | ```sh 25 | sudo dnf install httpd -y 26 | systemctl enable --now httpd 27 | firewall-cmd --add-service http --permanent 28 | firewall-cmd --reload 29 | ``` 30 | 31 | If you decided to host over HTTPS ensure the certificate it's included in any way (via ignition) in the ISO created, if not the ISO and RootFS will not be able to be downloaded from the Agent on the destination node. 32 | 33 | :warning: **The URL set on the osImages section should be a trusted one, if not the image download and creation will fail during the process. The untrusted HTTPS servers are not supported** 34 | 35 | ## Internal Registry Deployment and Configuration 36 | 37 | For this task, we need to create the certificate for our Internal Registry, to do that we just need to fill the variables on this script and execute it: 38 | 39 | ```sh 40 | #!/bin/bash 41 | 42 | ## Variables to fill 43 | host_fqdn=$( hostname --long ) 44 | path=$(pwd)/registry 45 | cert_c="ES" # Country Name (C, 2 letter code) 46 | cert_s="Spain" # Certificate State (S) 47 | cert_l="Madrid" # Certificate Locality (L) 48 | cert_o="adrogallop SL" # Certificate Organization (O) 49 | cert_ou="infra" # Certificate Organizational Unit (OU) 50 | cert_cn="${host_fqdn}" # Certificate Common Name (CN) 51 | 52 | ## Functional part of the script 53 | mkdir -p ${path}/{auth,certs,data} 54 | 55 | openssl req \ 56 | -newkey rsa:4096 \ 57 | -nodes \ 58 | -sha256 \ 59 | -keyout ${path}/certs/domain.key \ 60 | -x509 \ 61 | -days 3650 \ 62 | -out ${path}/certs/domain.crt \ 63 | -addext "subjectAltName = DNS:${host_fqdn}" \ 64 | -subj "/C=${cert_c}/ST=${cert_s}/L=${cert_l}/O=${cert_o}/OU=${cert_ou}/CN=${cert_cn}" 65 | 66 | sudo cp ${path}/certs/domain.crt /etc/pki/ca-trust/source/anchors/ 67 | sudo update-ca-trust extract 68 | htpasswd -bBc ${path}/auth/htpasswd dummy dummy 69 | ``` 70 | 71 | This execution will create a certificate and load it into our host `ca-trust` bundle, in order to trust it as a CA, then it will create the htpasswd file with the user password `dummy` that will be the authentication needed on your Pull Secret to access the registry. 72 | 73 | Now we will create the registry configuration, for that we will use something this one: 74 | 75 | ``` 76 | version: 0.1 77 | log: 78 | fields: 79 | service: registry 80 | storage: 81 | cache: 82 | blobdescriptor: inmemory 83 | filesystem: 84 | rootdirectory: /var/lib/registry 85 | http: 86 | addr: :5000 87 | headers: 88 | X-Content-Type-Options: [nosniff] 89 | health: 90 | storagedriver: 91 | enabled: true 92 | interval: 10s 93 | threshold: 3 94 | compatibility: 95 | schema1: 96 | enabled: true 97 | ``` 98 | 99 | **NOTE**: One of the most important parts it's the scheme compatibility, without that, the mirroring process will not work. 100 | 101 | After that we need to create our podman registry container to host the OCP and OLM Container Images, to do that we need to execute this script: 102 | 103 | ```sh 104 | #!/bin/bash 105 | 106 | host_fqdn=$( hostname --long ) 107 | path=$(pwd)/registry 108 | 109 | podman create \ 110 | --name ocpdiscon-registry \ 111 | -p 5000:5000 \ 112 | -e "REGISTRY_AUTH=htpasswd" \ 113 | -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry" \ 114 | -e "REGISTRY_HTTP_SECRET=ALongRandomSecretForRegistry" \ 115 | -e "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd" \ 116 | -e "REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt" \ 117 | -e "REGISTRY_HTTP_TLS_KEY=/certs/domain.key" \ 118 | -e "REGISTRY_COMPATIBILITY_SCHEMA1_ENABLED=true" \ 119 | -v ${path}/data:/var/lib/registry:z \ 120 | -v ${path}/auth:/auth:z \ 121 | -v ${path}/certs:/certs:z \ 122 | -v ${path}/conf/config.yml:/etc/docker/registry/config.yml:z \ 123 | docker.io/library/registry:2 124 | 125 | podman start ocpdiscon-registry 126 | ``` 127 | 128 | After executing that we need to ensure we have the Firewall opened: 129 | 130 | ``` 131 | firewall-cmd --add-port 5000/tcp --permanent 132 | firewall-cmd --reload 133 | ``` 134 | 135 | To check that the registry it's up and running, we need to write down the `pull_secret.json`: 136 | 137 | ``` 138 | { 139 | "auths": { 140 | "xenomorph.localdomain:5000": { 141 | "auth": "ZHVtbXk6ZHVtbXk=" 142 | } 143 | } 144 | } 145 | ``` 146 | 147 | **NOTE**: Ensure you change the `hostname`. 148 | 149 | then try to mirror an image manually using `skopeo`: 150 | 151 | ```sh 152 | skopeo copy --authfile ${PULL_SECRET_JSON} --all docker://quay.io/jparrill/busybox:1.28 docker://xenomorph.localdomain:5000/jparrill/busybox:1.28 153 | ``` 154 | 155 | The image it's a sample and public one and we need to change the `${PULL_SECRET_JSON}` by our PullSecret file path. 156 | 157 | ## Download the desired OpenShift ISO and RootFS 158 | 159 | To download the right ISO and RootFS we just need to go to the published versions of OpenShift: 160 | 161 | - Here for Internal Builds: https://openshift-release.apps.ci.l2s4.p1.openshiftapps.com/ 162 | - Here for External and Public builds: https://mirror.openshift.com/pub/openshift-v4/dependencies/rhcos/pre-release/ 163 | 164 | So with that just download them into the right folder 165 | 166 | ```sh 167 | sudo wget https://mirror.openshift.com/pub/openshift-v4/dependencies/rhcos/pre-release/latest-4.8/rhcos-4.8.0-fc.9-x86_64-live-rootfs.x86_64.img -O /var/www/html/rhcos-4.8.0-fc.9-x86_64-live-rootfs.x86_64.img 168 | sudo wget https://mirror.openshift.com/pub/openshift-v4/dependencies/rhcos/pre-release/latest-4.8/rhcos-4.8.0-fc.9-x86_64-live.x86_64.iso -O /var/www/html/rhcos-4.8.0-fc.9-x86_64-live.x86_64.iso 169 | ``` 170 | 171 | **NOTE**: This script will make your life easier to Download all the required resources for an OCP4 and RHCOS concrete version: [Link](/docs/prerequirements/ocp4-ipi-deployment.md#downloading-rhcos-and-ocp-resources) 172 | 173 | That should be it, you can check it with a curl command: 174 | 175 | ```sh 176 | curl http://$(hostname)/rhcos-4.8.0-fc.9-x86_64-live-rootfs.x86_64.img 177 | ``` 178 | 179 | And the output should be something like: 180 | 181 | ```console 182 | Warning: Binary output can mess up your terminal. Use "--output -" to tell 183 | Warning: curl to output it to your terminal anyway, or consider "--output 184 | Warning: " to save to a file. 185 | ``` 186 | -------------------------------------------------------------------------------- /docs/prerequirements/acm-downstream-deployment-disconnected.md: -------------------------------------------------------------------------------- 1 | Table of contents: 2 | 3 | 4 | 5 | - [ACM Downstream Deployment Disconnected](#acm-downstream-deployment-disconnected) 6 | - [Permission for Downstream Repository](#permission-for-downstream-repository) 7 | - [ACM Downstream Image Mirroring](#acm-downstream-image-mirroring) 8 | - [ACM Downstream deployment](#acm-downstream-deployment) 9 | - [ACM Uninstall process](#acm-uninstall-process) 10 | - [Demo video](https://www.youtube.com/watch?v=JSkPCkuO16s&list=PLaR6Rq6Z4IqecDatkODye7IWMJUc5r6td&index=8) 11 | 12 | 13 | 14 | # ACM Downstream Deployment Disconnected 15 | 16 | **NOTE**: We are following the same procedure they follow in the `README.md` file from the deployment repository all the things are well explained there, so if you have some doubts that is the right place (even including to [deploy a ACM downstream version](https://github.com/open-cluster-management/deploy#deploying-downstream-builds-snapshots-for-product-quality-engineering) . 17 | 18 | ## Permission for Downstream Repository 19 | 20 | First thing we need to follow the instructions mentioned [here](https://github.com/open-cluster-management/deploy#prepare-to-deploy-open-cluster-management-instance-only-do-once) to request a pull permission for repo **quay.io/acm-d**. 21 | 22 | Then you can verify if you have enough permission: 23 | 24 | ```sh 25 | podman pull --authfile ${PULL_SECRET} quay.io/acm-d/acm-custom-registry:2.3.0-DOWNSTREAM-2021-06-13-16-46-23 26 | ``` 27 | 28 | ## ACM Downstream Image Mirroring 29 | 30 | To do that, you will need to follow [this steps](https://gist.github.com/cdoan1/c6b83cb30110ef981fbca71e1e04a596) originally written down by `Chris Doan` but here it's an alternative script I've created to help you in a more automated way: 31 | 32 | ```sh 33 | #!/bin/bash 34 | export PULL_SECRET_JSON=~/pull-secret.json 35 | export LOCAL_REGISTRY=$(hostname):5000 36 | export SNAPSHOT=2.3.0-DOWNSTREAM-2021-06-16-09-34-33 37 | export ACM_OP_BUNDLE=v2.3.0-127 38 | export IMAGE_INDEX=quay.io/acm-d/acm-custom-registry 39 | export BUILD_FOLDER=./build 40 | export REMOTE_REGISTRY=quay.io:443/acm-d 41 | 42 | # Clean previous tries 43 | rm -rf ${BUILD_FOLDER} 44 | 45 | # Copy ACM Custom Registry index and bundle images 46 | echo 47 | echo ">>>>>>>>>>>>>>> Cloning the Index and Bundle images..." 48 | skopeo copy --authfile ${PULL_SECRET_JSON} docker://quay.io/acm-d/acm-custom-registry:${SNAPSHOT} docker://${LOCAL_REGISTRY}/rhacm2/acm-custom-registry:${SNAPSHOT} --all 49 | skopeo copy --authfile ${PULL_SECRET_JSON} docker://quay.io/acm-d/acm-operator-bundle:${ACM_OP_BUNDLE} docker://${LOCAL_REGISTRY}/rhacm2/acm-operator-bundle:${ACM_OP_BUNDLE} --all 50 | 51 | # Generate Mapping.txt 52 | echo 53 | echo ">>>>>>>>>>>>>>> Creating mapping assets..." 54 | oc adm -a ${PULL_SECRET_JSON} catalog mirror ${IMAGE_INDEX}:${SNAPSHOT} ${LOCAL_REGISTRY} --manifests-only --to-manifests=${BUILD_FOLDER} 55 | 56 | # Replace the upstream registry by the downstream one 57 | sed -i s#registry.redhat.io/rhacm2/#${REMOTE_REGISTRY}/# ${BUILD_FOLDER}/mapping.txt 58 | 59 | # Mirror the images into your mirror registry. 60 | echo 61 | echo ">>>>>>>>>>>>>>> Mirroring images..." 62 | oc image mirror -f ${BUILD_FOLDER}/mapping.txt -a ${PULL_SECRET_JSON} --filter-by-os=.* --keep-manifest-list --continue-on-error=true 63 | 64 | echo ">>>>>>>>>>>>>>> Copying images via skopeo..." 65 | for image in $(cat ${BUILD_FOLDER}/mapping.txt) 66 | do 67 | IFS='=' 68 | declare -a FIELDS=($image) 69 | echo "skopeo copy --authfile ${PULL_SECRET_JSON} docker://${FIELDS[0]} docker://${FIELDS[1]} --all" 70 | skopeo copy --authfile ${PULL_SECRET_JSON} docker://${FIELDS[0]} docker://${FIELDS[1]} --all 71 | done 72 | 73 | echo 74 | echo "export CUSTOM_REGISTRY_REPO=${LOCAL_REGISTRY}/rhacm2" 75 | echo "export DEFAULT_SNAPSHOT=${SNAPSHOT}" 76 | 77 | ``` 78 | 79 | This takes like 30 mins maybe less and you need to check this 2 resources to fill the proper variables: 80 | 81 | - The ACM Index image which is called `acm-custom-regsitry`: https://quay.io/repository/acm-d/acm-custom-registry?tab=tags 82 | - The ACM Operator Bundle which is called `acm-operator-bundle`: https://quay.io/repository/acm-d/acm-operator-bundle?tag=latest&tab=tags 83 | 84 | Check both and get the ones that makes sense for your deployment, a hint to relate between the index and the bundle could be the `LAST MODIFIED` field on `Quay.io`. 85 | 86 | Take note of the right tags for both and put them on the script variables. 87 | 88 | Also ensure that: 89 | 90 | - `PULL_SECRET_JSON` are in place and is the right one 91 | - `LOCAL_REGISTRY` is your internal registry and it's reachable 92 | - `SNAPSHOT` points to the `acm-custom-registry` desired tag 93 | - `ACM_OP_BUNDLE` points to the desired `acm-operator-bundle` desired tag 94 | - You have loaded your `Kubeconfig` file as `KUBECONFIG` environment variable with `export KUBECONFIG=/path/to/the/kubeconfig` 95 | 96 | Then after that we can execute the script: 97 | 98 | ```sh 99 | ./acm-image-sync.sh 100 | ``` 101 | 102 | ## ACM Downstream deployment 103 | 104 | To deploy an ACM Downstream version you will need this repository: **https://github.com/open-cluster-management/deploy**, so clone it and we can continue with the process. 105 | 106 | So now we need to follow these steps: 107 | 108 | - After cloning it and enter into the `deploy` folder, you need to modify the file called `snapshot.ver` with the version you wanna deploy 109 | - Then ensure you have 3 PVs (at least) available to be bound 110 | - You will need to export some variables to the Environment 111 | 112 | ```sh 113 | export DEFAULT_SNAPSHOT="" 114 | export KUBECONFIG= 115 | export CUSTOM_REGISTRY_REPO=:/rhacm2 116 | export COMPOSITE_BUNDLE=true 117 | export DEBUG=true 118 | ``` 119 | 120 | In my case is something like: 121 | 122 | ```sh 123 | export DEFAULT_SNAPSHOT="2.3.0-DOWNSTREAM-2021-06-16-09-34-33" 124 | export KUBECONFIG=/home/kni/ipv6/mgmt-hub/auth/kubeconfig 125 | export CUSTOM_REGISTRY_REPO=bm-cluster-1-hyper.e2e.bos.redhat.com:5000/rhacm2 126 | export COMPOSITE_BUNDLE=true 127 | export DEBUG=true 128 | ``` 129 | 130 | - Now we just need to execute the deployment script called `start.sh` 131 | 132 | - When it finishes, we just need to check that all pods are in running state and the installation process take some time to finish so be patient. 133 | 134 | ``` 135 | oc get pods -n open-cluster-management 136 | ``` 137 | 138 | - After the installation has finished you need to double check that the Multi Cluster Hub object has been annotated with your custom registry repo, otherwise the managed cluster won't be able to pull the required images. 139 | 140 | ```sh 141 | oc annotate mch multiclusterhub mch-imageRepository='bm-cluster-1-hyper.e2e.bos.redhat.com:5000/rhacm2' 142 | ``` 143 | 144 | ## ACM Uninstall process 145 | 146 | In the typical situation, you just need to delete the subscription and that's it but here it's a bit different so be aware. 147 | 148 | Using the same deploy repository we've seen before, and with the same variables loaded into the environment we just need to execute the `uninstall.sh` script and eventually it will get uninstalled. 149 | -------------------------------------------------------------------------------- /tools/mirror-olm.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash -e 2 | # Disconnected Operator Catalog Mirror and Minor Upgrade 3 | # Variables to set, suit to your installation 4 | 5 | export OCP_RELEASE=4.8 6 | export OCP_RELEASE_FULL=$OCP_RELEASE.0 7 | export ARCHITECTURE=x86_64 8 | export SIGNATURE_BASE64_FILE="signature-sha256-$OCP_RELEASE_FULL.yaml" 9 | export OCP_PULLSECRET_AUTHFILE='/root/pull_secret.json' 10 | export LOCAL_REGISTRY=bm-cluster-1-hyper.e2e.bos.redhat.com:5000 11 | export LOCAL_REGISTRY_MIRROR_TAG=/ocp4/openshift4 12 | export LOCAL_REGISTRY_INDEX_TAG=olm-index/redhat-operator-index:v$OCP_RELEASE 13 | export LOCAL_REGISTRY_INDEX_TAG_COMM=olm-index/community-operator-index:v$OCP_RELEASE 14 | export LOCAL_REGISTRY_IMAGE_TAG=olm 15 | 16 | # Set these values to true for the catalog and miror to be created 17 | export RH_OP='true' 18 | export CERT_OP='false' 19 | export COMM_OP='true' 20 | export MARKETPLACE_OP='false' 21 | 22 | export RH_OP_INDEX="registry.redhat.io/redhat/redhat-operator-index:v${OCP_RELEASE}" 23 | export CERT_OP_INDEX="registry.redhat.io/redhat/certified-operator-index:v${OCP_RELEASE}" 24 | export COMM_OP_INDEX="registry.redhat.io/redhat/community-operator-index:v${OCP_RELEASE}" 25 | export MARKETPLACE_OP_INDEX="registry.redhat.io/redhat-marketplace-index:v${OCP_RELEASE}" 26 | export RH_OP_PACKAGES='advanced-cluster-management,local-storage-operator,ocs-operator,performance-addon-operator,ptp-operator,sriov-network-operator' 27 | export COMM_OP_PACKAGES='hive-operator' 28 | export CERT_OP_PACKAGES="" 29 | 30 | if [ $# -lt 1 ]; then 31 | echo "Usage : $0 mirror|mirror-olm|upgrade" 32 | exit 33 | fi 34 | 35 | # Apply the ISV GPG key as specified in https://access.redhat.com/solutions/6542281 36 | setup-gpg-if-needed() { 37 | if [ ! -f /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-isv ]; then 38 | echo "WARNING: GPG key for certified operators not found. setting it up now..." 39 | sudo curl -s -o /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-isv https://www.redhat.com/security/data/55A34A82.txt 40 | sudo cp /etc/containers/policy.json /etc/containers/policy.json_bck 41 | jq '.transports.docker."registry.redhat.io/redhat/certified-operator-index" += [{"type": "signedBy","keyType": "GPGKeys","keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-isv"}]' /etc/containers/policy.json >> temp-policy.json 42 | sudo mv temp-policy.json /etc/containers/policy.json 43 | fi 44 | } 45 | 46 | mirror() { 47 | # Check for credentials for OPM 48 | if [ ! -f ~/.docker/config.json ]; then 49 | echo "ERROR: missing ~/.docker/config.json config" 50 | exit 1 51 | fi 52 | 53 | # Mirror redhat-operator index image 54 | if [ "${RH_OP}" = true ]; then 55 | echo "opm index prune --from-index $RH_OP_INDEX --packages $RH_OP_PACKAGES --tag $LOCAL_REGISTRY/$LOCAL_REGISTRY_INDEX_TAG" 56 | opm index prune --from-index $RH_OP_INDEX --packages $RH_OP_PACKAGES --tag $LOCAL_REGISTRY/$LOCAL_REGISTRY_INDEX_TAG 57 | GODEBUG=x509ignoreCN=0 podman push --tls-verify=false $LOCAL_REGISTRY/$LOCAL_REGISTRY_INDEX_TAG --authfile $OCP_PULLSECRET_AUTHFILE 58 | GODEBUG=x509ignoreCN=0 oc adm catalog mirror $LOCAL_REGISTRY/$LOCAL_REGISTRY_INDEX_TAG $LOCAL_REGISTRY/$LOCAL_REGISTRY_IMAGE_TAG --registry-config=$OCP_PULLSECRET_AUTHFILE 59 | 60 | cat >redhat-operator-index-manifests/catalogsource.yaml <certified-operator-index-manifests/catalogsource.yaml <community-operator-index-manifests/catalogsource.yaml <$SIGNATURE_BASE64_FILE < 4 | 5 | - [OpenShift 4 Baremetal disconnected deployment](#openshift-4-baremetal-disconnected-deployment) 6 | - [Downloading RHCOS and OCP Resources](#downloading-rhcos-and-ocp-resources) 7 | - [OpenShift 4 IPI Baremetal Deployment](#openshift-4-ipi-baremetal-deployment) 8 | - [Side scenarios](#side-scenarios) 9 | - [Spoke deployment without Provisioning network](#spoke-deployment-without-provisioning-network) 10 | 11 | 12 | 13 | # OpenShift 4 Baremetal disconnected deployment 14 | 15 | Ok, if you are here means that you already mirrored all the images of an OpenShift release and also the OLM Marketplace Images, so let's continue with the Hub deployment. 16 | 17 | It will be based on IPI deployment on Baremetal, IPv6/Disconnected. 18 | 19 | ## Downloading RHCOS and OCP Resources 20 | 21 | You can use this script to Mirror Images and Download the relevant binaries (`oc` client and `openshift-baremetal-install`) 22 | 23 | The script will do four things: 24 | 25 | - First is updating the `oc` client extracting it from the release you will pull from external registry. 26 | - Second, extract the `openshift-baremetal-install` binary also from the release image of the external registry 27 | - Third, execute the OCP Mirror release (Maybe you already did this part) 28 | - Fourth, download the associated RHCOS version and host it our HTTPD server. This last step will try to download that RHCOS QEMU and OpenStack images, ensure you take note of the values to put it on the `install-config.yaml` file. 29 | 30 | - `ocp_mirror.sh` 31 | 32 | ```sh 33 | #!/bin/bash 34 | 35 | # Variables 36 | export PULL_SECRET_JSON=/home/kni/jparrill/pull_secret.json 37 | export LOCAL_REGISTRY=$(hostname):5000 38 | export LOCAL_REPOSITORY=ocp4 39 | export OCP_RELEASE=4.8.0-fc.9-x86_64 40 | export OCP_REGISTRY=quay.io/openshift-release-dev/ocp-release 41 | 42 | 43 | # Functional 44 | function ocp_mirror_release() { 45 | echo "----> Mirroring OCP Release: ${OCP_RELEASE}" 46 | oc adm -a ${PULL_SECRET_JSON} release mirror \ 47 | --from=${OCP_REGISTRY}:${OCP_RELEASE} \ 48 | --to=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY} \ 49 | --to-release-image=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE} 50 | } 51 | 52 | function download_oc_client() { 53 | echo "----> Downloading OC Client" 54 | oc adm --registry-config ${PULL_SECRET_JSON} release extract \ 55 | --command=oc \ 56 | --from=${OCP_REGISTRY}:${OCP_RELEASE} \ 57 | --to . 58 | 59 | if [[ ! -f oc ]];then 60 | echo "OC Client wasn't extracted, exiting..." 61 | exit 1 62 | fi 63 | 64 | mv oc /home/kni/bin/oc 65 | } 66 | 67 | function download_ipi_installer() { 68 | echo "----> Downloading IPI Installer" 69 | oc adm --registry-config ${PULL_SECRET_JSON} release extract \ 70 | --command=openshift-baremetal-install \ 71 | --from=${OCP_REGISTRY}:${OCP_RELEASE} \ 72 | --to . 73 | 74 | if [[ ! -f openshift-baremetal-install ]];then 75 | echo "OCP Installer wasn't extracted, exiting..." 76 | exit 1 77 | fi 78 | 79 | sudo mv openshift-baremetal-install /usr/bin/openshift-baremetal-install 80 | } 81 | 82 | function download_rhcos() { 83 | export RHCOS_VERSION=$(openshift-baremetal-install coreos print-stream-json | jq -r '.["architectures"]["x86_64"]["artifacts"]["metal"]["release"]') 84 | export RHCOS_ISO_URI=$(openshift-baremetal-install coreos print-stream-json | jq -r '.["architectures"]["x86_64"]["artifacts"]["metal"]["formats"]["iso"]["disk"]["location"]') 85 | export RHCOS_ROOT_FS=$(openshift-baremetal-install coreos print-stream-json | jq -r '.["architectures"]["x86_64"]["artifacts"]["metal"]["formats"]["pxe"]["rootfs"]["location"]') 86 | export RHCOS_QEMU_URI=$(openshift-baremetal-install coreos print-stream-json | jq -r '.["architectures"]["x86_64"]["artifacts"]["qemu"]["formats"]["qcow2.gz"]["disk"]["location"]') 87 | export RHCOS_QEMU_SHA_UNCOMPRESSED=$(openshift-baremetal-install coreos print-stream-json | jq -r '.["architectures"]["x86_64"]["artifacts"]["qemu"]["formats"]["qcow2.gz"]["disk"]["uncompressed-sha256"]') 88 | export RHCOS_OPENSTACK_URI=$(openshift-baremetal-install coreos print-stream-json | jq -r '.["architectures"]["x86_64"]["artifacts"]["openstack"]["formats"]["qcow2.gz"]["disk"]["location"]') 89 | export RHCOS_OPENSTACK_SHA_COMPRESSED=$(openshift-baremetal-install coreos print-stream-json | jq -r '.["architectures"]["x86_64"]["artifacts"]["openstack"]["formats"]["qcow2.gz"]["disk"]["sha256"]') 90 | export OCP_RELEASE_DOWN_PATH=/var/www/html/$OCP_RELEASE 91 | 92 | echo "RHCOS_VERSION: $RHCOS_VERSION" 93 | echo "RHCOS_OPENSTACK_URI: $RHCOS_OPENSTACK_URI" 94 | echo "RHCOS_OPENSTACK_SHA_COMPRESSED: ${RHCOS_OPENSTACK_SHA_COMPRESSED}" 95 | echo "RHCOS_QEMU_URI: $RHCOS_QEMU_URI" 96 | echo "RHCOS_QEMU_SHA_UNCOMPRESSED: $RHCOS_QEMU_SHA_UNCOMPRESSED" 97 | echo "RHCOS_ISO_URI: $RHCOS_ISO_URI" 98 | echo "RHCOS_ROOT_FS: $RHCOS_ROOT_FS" 99 | echo "Press crtl-c to cancel download" 100 | read 101 | 102 | if [[ ! -d ${OCP_RELEASE_DOWN_PATH} ]]; then 103 | echo "----> Downloading RHCOS resources to ${OCP_RELEASE_DOWN_PATH}" 104 | sudo mkdir -p ${OCP_RELEASE_DOWN_PATH} 105 | echo "--> Downloading RHCOS resources: RHCOS QEMU Image" 106 | sudo curl -s -L -o ${OCP_RELEASE_DOWN_PATH}/$(echo $RHCOS_QEMU_URI | xargs basename) ${RHCOS_QEMU_URI} 107 | echo "--> Downloading RHCOS resources: RHCOS Openstack Image" 108 | sudo curl -s -L -o ${OCP_RELEASE_DOWN_PATH}/$(echo $RHCOS_OPENSTACK_URI | xargs basename) ${RHCOS_OPENSTACK_URI} 109 | echo "--> Downloading RHCOS resources: RHCOS ISO" 110 | sudo curl -s -L -o ${OCP_RELEASE_DOWN_PATH}/$(echo $RHCOS_ISO_URI | xargs basename) ${RHCOS_ISO_URI} 111 | echo "--> Downloading RHCOS resources: RHCOS RootFS" 112 | sudo curl -s -L -o ${OCP_RELEASE_DOWN_PATH}/$(echo $RHCOS_ROOT_FS | xargs basename) ${RHCOS_ROOT_FS} 113 | else 114 | echo "The folder already exist, so delete it if you want to re-download the RHCOS resources" 115 | fi 116 | } 117 | 118 | download_oc_client 119 | download_ipi_installer 120 | ocp_mirror_release 121 | download_rhcos 122 | ``` 123 | 124 | ## OpenShift 4 IPI Baremetal Deployment 125 | 126 | Ok, we already have the `oc` client, the Baremetal-Installer according the OCP release, so now we need to fill our `InstallConfig` file. In a disconnected/IPv6 environment we should have some things in mind but `TL;DR` should be something like this: 127 | 128 | ```yaml 129 | apiVersion: v1 130 | baseDomain: redhat.com 131 | networking: 132 | networkType: OVNKubernetes 133 | machineCIDR: 2120:52:0:0301::/64 134 | clusterNetwork: 135 | - cidr: fd01::/48 136 | hostPrefix: 64 137 | serviceNetwork: 138 | - fd02::/112 139 | metadata: 140 | name: mgmt-hub 141 | compute: 142 | - name: worker 143 | replicas: 0 144 | controlPlane: 145 | name: master 146 | replicas: 3 147 | platform: 148 | baremetal: {} 149 | platform: 150 | baremetal: 151 | provisioningNetworkInterface: eno3s1f4 152 | provisioningNetworkCIDR: 2120:52:0:0302::/64 153 | provisioningBridge: "prov" 154 | externalBridge: "baremetal" 155 | bootstrapProvisioningIP: 2120:52:0:0301::2 156 | bootstrapOSImage: http://[2120:52:0:0301::1]/rhcos-48.84.202106161818-0-qemu.x86_64.qcow2.gz?sha256=3691572a946ec5c6cdf48b79663adabbb744303f63e7af7c3ff43dfa4ee9f6b2 157 | clusterOSImage: http://[2120:52:0:0301::1]/rhcos-48.84.202106161818-0-openstack.x86_64.qcow2.gz?sha256=871ebdcafb906ac361ab9685bc806ddfcf6aee9027b81b1b654ac2275f14e4eb 158 | apiVIP: 2120:52:0:0301::3 159 | ingressVIP: 2120:52:0:0301::2 160 | hosts: 161 | - name: openshift-master-0 162 | role: master 163 | bmc: 164 | address: ipmi://[2120:52:0:0301::81] 165 | username: user 166 | password: pa$$w0rd 167 | bootMACAddress: 18:DE:F2:8C:D8:93 168 | hardwareProfile: default 169 | - name: openshift-master-1 170 | role: master 171 | bmc: 172 | address: ipmi://[2120:52:0:0301::82] 173 | username: user 174 | password: pa$$w0rd 175 | bootMACAddress: 18:DE:12:8C:D1:A0 176 | hardwareProfile: default 177 | - name: openshift-master-2 178 | role: master 179 | bmc: 180 | address: ipmi://[2120:52:0:0301::83] 181 | username: user 182 | password: pa$$w0rd 183 | bootMACAddress: 18:AB:92:8C:D5:BD 184 | hardwareProfile: default 185 | imageContentSources: 186 | - mirrors: 187 | - bm-cluster-1-hyper.e2e.bos.redhat.com:5000/ocp4 188 | source: quay.io/openshift-release-dev/ocp-release 189 | - mirrors: 190 | - bm-cluster-1-hyper.e2e.bos.redhat.com:5000/ocp4 191 | source: quay.io/openshift-release-dev/ocp-v4.0-art-dev 192 | additionalTrustBundle: | 193 | -----BEGIN CERTIFICATE----- 194 | MIIGJzCCBA+gAwIBAgIUcuRdl0sEsCZMPWuE44snY/MLgcowDQYJKoZIhvcNAQEL 195 | ... 196 | ... 197 | BQAwgYgxCzAJBgNVBAYTAlVTMRYwFAYDVQQIDA1NYXNzYWNodXNldHRzMREwDwYD 198 | 6Rf1YNZC6XaR2GzJTz8mdiyG4L/cG6um65TigWOjaAOfD5ecei+d0maqmw== 199 | -----END CERTIFICATE----- 200 | pullSecret: | 201 | {"auths":{"bm-cluster-1-hyper.e2e.bos.redhat.com:5000":{"auth":"a25pOmtuaQ==","email":"john.doe@redhat.com"}}} 202 | sshKey: | 203 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCaTNKY08frGZjQLyS5hHPqAGRV3kb... kni@bm-cluster-1-hyper.e2e.bos.redhat.com 204 | ``` 205 | 206 | **NOTE**: Ensure you have checked all the MAC Addresses, BMC IPs and so on, if you have any doubt about any of the steps, you have here a [great explanation about this process](https://openshift-kni.github.io/baremetal-deploy/), pick the right version and take a look. 207 | 208 | Then we should have a folder structure similar to this one: 209 | 210 | ```console 211 | ocp 212 | ├── deploy.sh 213 | ├── install-config_hub.yaml 214 | └── ocp_mirror.sh 215 | ``` 216 | 217 | And now we just need to execute this script, which is the `deploy.sh`: 218 | 219 | ```sh 220 | #!/bin/bash 221 | export OPENSHIFT_INSTALL_RELEASE_IMAGE_OVERRIDE="bm-cluster-1-hyper.e2e.bos.redhat.com:5000/ocp4:4.8.0-fc.9-x86_64" 222 | export CLUSTER=mgmt-hub 223 | 224 | rm -rf $CLUSTER 225 | mkdir -p $CLUSTER/openshift 226 | cp install-config_hub.yaml $CLUSTER/install-config.yaml 227 | openshift-baremetal-install --dir $CLUSTER --log-level debug create cluster 228 | ``` 229 | 230 | After the script execution we will see a big trace about how the installation it's going, so be patient until the deployment finishes... 231 | 232 | ![](/assets/8-hours-later.jpg) 233 | 234 | This should be the typical output of this execution: 235 | 236 | ```console 237 | DEBUG Still waiting for the cluster to initialize: Working towards 4.8.0-fc.8: 20 of 676 done (2% complete) 238 | DEBUG Still waiting for the cluster to initialize: Working towards 4.8.0-fc.8: 32 of 676 done (4% complete) 239 | DEBUG Still waiting for the cluster to initialize: Working towards 4.8.0-fc.8: 35 of 676 done (5% complete) 240 | DEBUG Still waiting for the cluster to initialize: Working towards 4.8.0-fc.8: 526 of 676 done (77% complete) 241 | DEBUG Cluster is initialized 242 | INFO Waiting up to 10m0s for the openshift-console route to be created... 243 | DEBUG Route found in openshift-console namespace: console 244 | DEBUG OpenShift console route is admitted 245 | INFO Install complete! 246 | INFO To access the cluster as the system:admin user when using 'oc', run 'export KUBECONFIG=/home/jdoe/ocp/mgmt-hub/auth/kubeconfig' 247 | INFO Access the OpenShift web-console here: https://console-openshift-console.apps.mgmt-hub.redhat.com 248 | INFO Login to the console with user: "kubeadmin", and password: "zhkf6-5a5th-f567lq-609r5f" 249 | DEBUG Time elapsed per stage: 250 | DEBUG Infrastructure: 28m8s 251 | DEBUG Bootstrap Complete: 14m48s 252 | DEBUG API: 40s 253 | DEBUG Bootstrap Destroy: 14s 254 | DEBUG Cluster Operators: 17m54s 255 | INFO Time elapsed: 1h1m9s 256 | ``` 257 | 258 | ## Side scenarios 259 | 260 | ### Spoke deployment without Provisioning network 261 | 262 | **Scenario**: I have my HUB with provisioning network but the spokes cannot reach the ISO served by Ironic 263 | 264 | Ok. this situation happens when you Hub cluster has configured Provisioning network and your spokes doesn't. The ISO will be served from that provisioning network by Ironic and the BMC are capable to reach that URLs (always that those Prov networks are not routable between them). 265 | 266 | To solve that situation we need to modify our Hub cluster configuration: 267 | 268 | ```sh 269 | oc edit provisioning provisioning-configuration 270 | ``` 271 | 272 | Something like this will appear: 273 | 274 | ```yaml 275 | spec: 276 | provisioningDHCPRange: 2620:52:0:1307::a,2620:52:0:1307:ffff:ffff:ffff:fffe 277 | provisioningIP: 2620:52:0:1307::3 278 | provisioningInterface: enp3s0f1 279 | provisioningNetwork: Managed 280 | provisioningNetworkCIDR: 2620:52:0:1307::/64 281 | provisioningOSDownloadURL: http://[2620:52:0:1302::1]/4.8.0-rc.1-x86_64/rhcos-48.84.202106091622-0-openstack.x86_64.qcow2.gz?sha256=6ab5c6413f275277ea90f7dfc66424ef14993941ba3a9f3a43955ab268e7d76d 282 | watchAllNamespaces: true 283 | ``` 284 | 285 | So now we need to modify it to match this configuration: 286 | 287 | ```yaml 288 | spec: 289 | provisioningNetwork: Disabled 290 | provisioningOSDownloadURL: http://[2620:52:0:1302::1]/4.8.0-rc.1-x86_64/rhcos-48.84.202106091622-0-openstack.x86_64.qcow2.gz?sha256=6ab5c6413f275277ea90f7dfc66424ef14993941ba3a9f3a43955ab268e7d76d 291 | watchAllNamespaces: true 292 | ``` 293 | 294 | Then the Metal3 pod will be recreated. From this point we need to delete the current manifests for our Spoke cluster, including the ACI, CD, NMState, etc... 295 | --------------------------------------------------------------------------------