├── charts ├── capi-management │ ├── values.yaml │ ├── templates │ │ ├── AWSClusterControllerIdentity.yaml │ │ └── _helpers.tpl │ ├── .helmignore │ └── Chart.yaml ├── rosa-capi │ ├── README.md │ ├── templates │ │ ├── ROSACluster.yaml │ │ ├── secrets.yaml │ │ ├── opensift-gitops-cluster-resource-set.yaml │ │ ├── Cluster.yaml │ │ ├── ROSAControlPlane.yaml │ │ ├── _helpers.tpl │ │ └── openshift-gitops.yaml │ ├── .helmignore │ ├── Chart.yaml │ └── values.yaml └── openshift-management │ ├── templates │ ├── post-hook │ │ ├── post-install-hook-sa.yaml │ │ ├── post-install-hook-cr.yaml │ │ ├── post-install-hook-crb.yaml │ │ └── post-install-hook-job.yaml │ ├── rolebinding-capi-system.yaml │ ├── rolebinding-capa-system.yaml │ ├── rolebinding-capi-kubeadm-bootstrap-system.yaml │ ├── rolebinding-capi-kubeadm-control-plane-system.yaml │ └── _helpers.tpl │ ├── values.yaml │ ├── .helmignore │ └── Chart.yaml └── README.md /charts/capi-management/values.yaml: -------------------------------------------------------------------------------- 1 | # Default values for capi-management. 2 | 3 | -------------------------------------------------------------------------------- /charts/rosa-capi/README.md: -------------------------------------------------------------------------------- 1 | # rosa-capi 2 | 3 | ## Quick Start 4 | 5 | ``` 6 | helm template --name-template=rosa-hcp --set ocmToken=jSDFsdfsdfSDF . | oc apply -f - 7 | ``` 8 | -------------------------------------------------------------------------------- /charts/capi-management/templates/AWSClusterControllerIdentity.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: infrastructure.cluster.x-k8s.io/v1beta2 3 | kind: AWSClusterControllerIdentity 4 | metadata: 5 | name: default 6 | spec: 7 | allowedNamespaces: 8 | selector: {} 9 | -------------------------------------------------------------------------------- /charts/openshift-management/templates/post-hook/post-install-hook-sa.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.rbac.enabled }} 2 | --- 3 | apiVersion: v1 4 | kind: ServiceAccount 5 | metadata: 6 | name: openshift-capi-management-hook 7 | namespace: capi-system 8 | {{- end }} 9 | -------------------------------------------------------------------------------- /charts/rosa-capi/templates/ROSACluster.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: infrastructure.cluster.x-k8s.io/v1beta2 3 | kind: ROSACluster 4 | metadata: 5 | name: {{ include "rosa-capi.fullname" . }} 6 | namespace: {{ default "default" .Values.namespace }} 7 | labels: 8 | {{- include "rosa-capi.labels" . | nindent 4 }} 9 | spec: {} 10 | 11 | 12 | -------------------------------------------------------------------------------- /charts/rosa-capi/templates/secrets.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: {{ include "rosa-capi.fullname" . }}-secret 6 | labels: 7 | {{- include "rosa-capi.labels" . | nindent 4 }} 8 | type: Opaque 9 | data: 10 | ocmApiUrl: {{ .Values.ocmAPIUrl | default "https://api.openshift.com" | b64enc }} 11 | ocmToken: {{ .Values.ocmToken | b64enc }} 12 | 13 | -------------------------------------------------------------------------------- /charts/openshift-management/templates/post-hook/post-install-hook-cr.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.rbac.enabled }} 2 | --- 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | kind: ClusterRole 5 | metadata: 6 | name: openshift-capi-restart-hook 7 | rules: 8 | - apiGroups: 9 | - apps 10 | resources: 11 | - deployments 12 | verbs: 13 | - get 14 | - list 15 | - patch 16 | - watch 17 | {{- end }} 18 | -------------------------------------------------------------------------------- /charts/openshift-management/values.yaml: -------------------------------------------------------------------------------- 1 | # Default values for openshift-management. 2 | 3 | #capa: 4 | # namespace: "capa-system" 5 | 6 | #capi: 7 | # namespace: "capi-system" 8 | 9 | #capiKubeadmBootstrap: 10 | # namespace: "capi-kubeadm-bootstrap-system" 11 | 12 | #capiKubeadmControlPlane: 13 | # namespace: "capi-kubeadm-control-plane-system" 14 | 15 | 16 | # Disable RBAC if you don't need to manage aspects like rolebindings, etc. 17 | rbac: 18 | enabled: true 19 | -------------------------------------------------------------------------------- /charts/rosa-capi/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /charts/capi-management/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /charts/openshift-management/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /charts/rosa-capi/templates/opensift-gitops-cluster-resource-set.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.enableArgoCD }} 2 | apiVersion: addons.cluster.x-k8s.io/v1beta1 3 | kind: ClusterResourceSet 4 | metadata: 5 | name: openshift-gitops-crs 6 | namespace: {{ default "default" .Values.namespace }} 7 | spec: 8 | strategy: ApplyOnce 9 | clusterSelector: 10 | matchLabels: 11 | rosa-capi/clusterName: {{ include "rosa-capi.name" . }} 12 | resources: 13 | - name: openshift-gitops 14 | kind: ConfigMap 15 | {{- end }} -------------------------------------------------------------------------------- /charts/openshift-management/templates/post-hook/post-install-hook-crb.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.rbac.enabled }} 2 | --- 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | kind: ClusterRoleBinding 5 | metadata: 6 | name: openshift-capi-management-hook 7 | namespace: capi-system 8 | subjects: 9 | - kind: ServiceAccount 10 | name: openshift-capi-management-hook 11 | namespace: capi-system 12 | roleRef: 13 | apiGroup: rbac.authorization.k8s.io 14 | kind: ClusterRole 15 | name: openshift-capi-restart-hook 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /charts/openshift-management/templates/rolebinding-capi-system.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.rbac.enabled }} 2 | --- 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | kind: RoleBinding 5 | metadata: 6 | name: capi-openshift-scc 7 | namespace: {{ default "capi-system" (.Values.capi).namespace }} 8 | subjects: 9 | - kind: ServiceAccount 10 | name: capi-manager 11 | namespace: {{ default "capi-system" (.Values.capi).namespace }} 12 | roleRef: 13 | apiGroup: rbac.authorization.k8s.io 14 | kind: ClusterRole 15 | name: system:openshift:scc:nonroot-v2 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /charts/openshift-management/templates/rolebinding-capa-system.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.rbac.enabled }} 2 | --- 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | kind: RoleBinding 5 | metadata: 6 | name: capa-openshift-scc 7 | namespace: {{ default "capa-system" (.Values.capa).namespace }} 8 | subjects: 9 | - kind: ServiceAccount 10 | name: capa-controller-manager 11 | namespace: {{ default "capa-system" (.Values.capa).namespace }} 12 | roleRef: 13 | apiGroup: rbac.authorization.k8s.io 14 | kind: ClusterRole 15 | name: system:openshift:scc:nonroot-v2 16 | {{- end }} -------------------------------------------------------------------------------- /charts/openshift-management/templates/rolebinding-capi-kubeadm-bootstrap-system.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.rbac.enabled }} 2 | --- 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | kind: RoleBinding 5 | metadata: 6 | name: capi-kubeadm-bootstrap-manager-openshift-scc 7 | namespace: {{ default "capi-kubeadm-bootstrap-system" (.Values.capiKubeadmBootstrap).namespace }} 8 | subjects: 9 | - kind: ServiceAccount 10 | name: capi-kubeadm-bootstrap-manager 11 | namespace: {{ default "capi-kubeadm-bootstrap-system" (.Values.capiKubeadmBootstrap).namespace }} 12 | roleRef: 13 | apiGroup: rbac.authorization.k8s.io 14 | kind: ClusterRole 15 | name: system:openshift:scc:nonroot-v2 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /charts/openshift-management/templates/rolebinding-capi-kubeadm-control-plane-system.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.rbac.enabled }} 2 | --- 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | kind: RoleBinding 5 | metadata: 6 | name: capi-kubeadm-control-plane-manager-openshift-scc 7 | namespace: {{ default "capi-kubeadm-control-plane-system" (.Values.capiKubeadmControlPlane).namespace }} 8 | subjects: 9 | - kind: ServiceAccount 10 | name: capi-kubeadm-control-plane-manager 11 | namespace: {{ default "capi-kubeadm-control-plane-system" (.Values.capiKubeadmControlPlane).namespace }} 12 | roleRef: 13 | apiGroup: rbac.authorization.k8s.io 14 | kind: ClusterRole 15 | name: system:openshift:scc:nonroot-v2 16 | {{- end }} 17 | 18 | -------------------------------------------------------------------------------- /charts/rosa-capi/templates/Cluster.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: cluster.x-k8s.io/v1beta1 3 | kind: Cluster 4 | metadata: 5 | name: {{ include "rosa-capi.fullname" . }} 6 | namespace: {{ default "default" .Values.namespace }} 7 | labels: 8 | {{- include "rosa-capi.labels" . | nindent 4 }} 9 | spec: 10 | clusterNetwork: 11 | pods: 12 | cidrBlocks: ["{{ .Values.rosaControlPlane.network.podCIDR }}"] 13 | infrastructureRef: 14 | apiVersion: infrastructure.cluster.x-k8s.io/v1beta2 15 | kind: ROSACluster 16 | name: {{ include "rosa-capi.fullname" . }} 17 | controlPlaneRef: 18 | apiVersion: controlplane.cluster.x-k8s.io/v1beta2 19 | kind: ROSAControlPlane 20 | name: "{{ include "rosa-capi.fullname" . }}-control-plane" 21 | 22 | 23 | 24 | -------------------------------------------------------------------------------- /charts/rosa-capi/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: rosa-capi 3 | description: A Helm Chart to manage ROSA HCP clusters with CAPI 4 | 5 | # A chart can be either an 'application' or a 'library' chart. 6 | # 7 | # Application charts are a collection of templates that can be packaged into versioned archives 8 | # to be deployed. 9 | # 10 | # Library charts provide useful utilities or functions for the chart developer. They're included as 11 | # a dependency of application charts to inject those utilities and functions into the rendering 12 | # pipeline. Library charts do not define any templates and therefore cannot be deployed. 13 | type: application 14 | 15 | # This is the chart version. This version number should be incremented each time you make changes 16 | # to the chart and its templates, including the app version. 17 | # Versions are expected to follow Semantic Versioning (https://semver.org/) 18 | version: 0.1.0 19 | 20 | -------------------------------------------------------------------------------- /charts/capi-management/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: capi-management 3 | description: A Helm chart used to manage the CAPI Management Cluster content 4 | 5 | # A chart can be either an 'application' or a 'library' chart. 6 | # 7 | # Application charts are a collection of templates that can be packaged into versioned archives 8 | # to be deployed. 9 | # 10 | # Library charts provide useful utilities or functions for the chart developer. They're included as 11 | # a dependency of application charts to inject those utilities and functions into the rendering 12 | # pipeline. Library charts do not define any templates and therefore cannot be deployed. 13 | type: application 14 | 15 | # This is the chart version. This version number should be incremented each time you make changes 16 | # to the chart and its templates, including the app version. 17 | # Versions are expected to follow Semantic Versioning (https://semver.org/) 18 | version: 0.1.0 19 | 20 | -------------------------------------------------------------------------------- /charts/openshift-management/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: openshift-management 3 | description: A Helm chart used to manage the OpenShift Management Cluster content 4 | 5 | # A chart can be either an 'application' or a 'library' chart. 6 | # 7 | # Application charts are a collection of templates that can be packaged into versioned archives 8 | # to be deployed. 9 | # 10 | # Library charts provide useful utilities or functions for the chart developer. They're included as 11 | # a dependency of application charts to inject those utilities and functions into the rendering 12 | # pipeline. Library charts do not define any templates and therefore cannot be deployed. 13 | type: application 14 | 15 | # This is the chart version. This version number should be incremented each time you make changes 16 | # to the chart and its templates, including the app version. 17 | # Versions are expected to follow Semantic Versioning (https://semver.org/) 18 | version: 0.1.0 19 | 20 | -------------------------------------------------------------------------------- /charts/rosa-capi/templates/ROSAControlPlane.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: controlplane.cluster.x-k8s.io/v1beta2 3 | kind: ROSAControlPlane 4 | metadata: 5 | name: {{ include "rosa-capi.fullname" . }}-control-plane 6 | namespace: {{ default "default" .Values.namespace }} 7 | labels: 8 | {{- include "rosa-capi.labels" . | nindent 4 }} 9 | spec: 10 | availabilityZones: {{- toYaml .Values.rosaControlPlane.availabilityZones | nindent 4 }} 11 | additionalTags: 12 | "rosa-capi-demo/cluster-name": {{ include "rosa-capi.fullname" . }} 13 | billingAccount: "{{ .Values.rosaControlPlane.billingAccount }}" 14 | credentialsSecretRef: 15 | name: {{ include "rosa-capi.fullname" . }}-secret 16 | endpointAccess: {{ .Values.rosaControlPlane.endpointAccess }} 17 | installerRoleARN: {{ .Values.rosaControlPlane.awsRoles.installerRoleARN }} 18 | network: {{- toYaml .Values.rosaControlPlane.network | nindent 4 }} 19 | oidcID: "{{ .Values.rosaControlPlane.oidcID }}" 20 | region: "{{ .Values.rosaControlPlane.region }}" 21 | rolesRef: {{- toYaml .Values.rosaControlPlane.awsRoles.rolesRef | nindent 4 }} 22 | rosaClusterName: {{ include "rosa-capi.fullname" . }} 23 | subnets: {{- toYaml .Values.rosaControlPlane.subnets | nindent 4 }} 24 | supportRoleARN: {{ .Values.rosaControlPlane.awsRoles.supportRoleARN }} 25 | workerRoleARN: {{ .Values.rosaControlPlane.awsRoles.workerRoleARN }} 26 | version: "{{ .Values.rosaControlPlane.version }}" 27 | -------------------------------------------------------------------------------- /charts/openshift-management/templates/post-hook/post-install-hook-job.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.rbac.enabled }} 2 | --- 3 | apiVersion: batch/v1 4 | kind: Job 5 | metadata: 6 | name: {{ include "openshift-management.fullname" . }}-hook 7 | namespace: capi-system 8 | labels: 9 | {{- include "openshift-management.labels" . | nindent 4 }} 10 | annotations: 11 | "helm.sh/hook": post-install 12 | "helm.sh/hook-weight": "-1" 13 | "helm.sh/hook-delete-policy": hook-succeeded 14 | spec: 15 | template: 16 | metadata: 17 | name: "{{ .Release.Name }}" 18 | labels: 19 | app.kubernetes.io/managed-by: {{ .Release.Service | quote }} 20 | app.kubernetes.io/instance: {{ .Release.Name | quote }} 21 | helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" 22 | spec: 23 | restartPolicy: Never 24 | containers: 25 | - name: post-install-job 26 | image: registry.redhat.io/openshift4/ose-cli 27 | command: 28 | - /bin/bash 29 | - -c 30 | - | 31 | oc rollout restart deployment capi-controller-manager -n capi-system 32 | oc rollout restart deployment capa-controller-manager -n capa-system 33 | oc rollout restart deployment capi-kubeadm-bootstrap-controller-manager -n capi-kubeadm-bootstrap-system 34 | oc rollout restart deployment capi-kubeadm-control-plane-controller-manager -n capi-kubeadm-control-plane-system 35 | serviceAccountName: openshift-capi-management-hook 36 | {{- end }} 37 | -------------------------------------------------------------------------------- /charts/rosa-capi/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* 2 | Expand the name of the chart. 3 | */}} 4 | {{- define "rosa-capi.name" -}} 5 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} 6 | {{- end }} 7 | 8 | {{/* 9 | Create a default fully qualified app name. 10 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 11 | If release name contains chart name it will be used as a full name. 12 | */}} 13 | {{- define "rosa-capi.fullname" -}} 14 | {{- if .Values.fullnameOverride }} 15 | {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} 16 | {{- else }} 17 | {{- $name := default .Chart.Name .Values.nameOverride }} 18 | {{- if contains $name .Release.Name }} 19 | {{- .Release.Name | trunc 63 | trimSuffix "-" }} 20 | {{- else }} 21 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} 22 | {{- end }} 23 | {{- end }} 24 | {{- end }} 25 | 26 | {{/* 27 | Create chart name and version as used by the chart label. 28 | */}} 29 | {{- define "rosa-capi.chart" -}} 30 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} 31 | {{- end }} 32 | 33 | {{/* 34 | Common labels 35 | */}} 36 | {{- define "rosa-capi.labels" -}} 37 | helm.sh/chart: {{ include "rosa-capi.chart" . }} 38 | {{ include "rosa-capi.selectorLabels" . }} 39 | {{- if .Chart.AppVersion }} 40 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 41 | {{- end }} 42 | app.kubernetes.io/managed-by: {{ .Release.Service }} 43 | rosa-capi/clusterName: {{ include "rosa-capi.name" . }} 44 | {{- end }} 45 | 46 | {{/* 47 | Selector labels 48 | */}} 49 | {{- define "rosa-capi.selectorLabels" -}} 50 | app.kubernetes.io/name: {{ include "rosa-capi.name" . }} 51 | app.kubernetes.io/instance: {{ .Release.Name }} 52 | {{- end }} 53 | 54 | {{/* 55 | Create the name of the service account to use 56 | */}} 57 | {{- define "rosa-capi.serviceAccountName" -}} 58 | {{- if .Values.serviceAccount.create }} 59 | {{- default (include "rosa-capi.fullname" .) .Values.serviceAccount.name }} 60 | {{- else }} 61 | {{- default "default" .Values.serviceAccount.name }} 62 | {{- end }} 63 | {{- end }} 64 | -------------------------------------------------------------------------------- /charts/capi-management/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* 2 | Expand the name of the chart. 3 | */}} 4 | {{- define "capi-management.name" -}} 5 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} 6 | {{- end }} 7 | 8 | {{/* 9 | Create a default fully qualified app name. 10 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 11 | If release name contains chart name it will be used as a full name. 12 | */}} 13 | {{- define "capi-management.fullname" -}} 14 | {{- if .Values.fullnameOverride }} 15 | {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} 16 | {{- else }} 17 | {{- $name := default .Chart.Name .Values.nameOverride }} 18 | {{- if contains $name .Release.Name }} 19 | {{- .Release.Name | trunc 63 | trimSuffix "-" }} 20 | {{- else }} 21 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} 22 | {{- end }} 23 | {{- end }} 24 | {{- end }} 25 | 26 | {{/* 27 | Create chart name and version as used by the chart label. 28 | */}} 29 | {{- define "capi-management.chart" -}} 30 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} 31 | {{- end }} 32 | 33 | {{/* 34 | Common labels 35 | */}} 36 | {{- define "capi-management.labels" -}} 37 | helm.sh/chart: {{ include "capi-management.chart" . }} 38 | {{ include "capi-management.selectorLabels" . }} 39 | {{- if .Chart.AppVersion }} 40 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 41 | {{- end }} 42 | app.kubernetes.io/managed-by: {{ .Release.Service }} 43 | {{- end }} 44 | 45 | {{/* 46 | Selector labels 47 | */}} 48 | {{- define "capi-management.selectorLabels" -}} 49 | app.kubernetes.io/name: {{ include "capi-management.name" . }} 50 | app.kubernetes.io/instance: {{ .Release.Name }} 51 | {{- end }} 52 | 53 | {{/* 54 | Create the name of the service account to use 55 | */}} 56 | {{- define "capi-management.serviceAccountName" -}} 57 | {{- if .Values.serviceAccount.create }} 58 | {{- default (include "capi-management.fullname" .) .Values.serviceAccount.name }} 59 | {{- else }} 60 | {{- default "default" .Values.serviceAccount.name }} 61 | {{- end }} 62 | {{- end }} 63 | -------------------------------------------------------------------------------- /charts/openshift-management/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* 2 | Expand the name of the chart. 3 | */}} 4 | {{- define "openshift-management.name" -}} 5 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} 6 | {{- end }} 7 | 8 | {{/* 9 | Create a default fully qualified app name. 10 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 11 | If release name contains chart name it will be used as a full name. 12 | */}} 13 | {{- define "openshift-management.fullname" -}} 14 | {{- if .Values.fullnameOverride }} 15 | {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} 16 | {{- else }} 17 | {{- $name := default .Chart.Name .Values.nameOverride }} 18 | {{- if contains $name .Release.Name }} 19 | {{- .Release.Name | trunc 63 | trimSuffix "-" }} 20 | {{- else }} 21 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} 22 | {{- end }} 23 | {{- end }} 24 | {{- end }} 25 | 26 | {{/* 27 | Create chart name and version as used by the chart label. 28 | */}} 29 | {{- define "openshift-management.chart" -}} 30 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} 31 | {{- end }} 32 | 33 | {{/* 34 | Common labels 35 | */}} 36 | {{- define "openshift-management.labels" -}} 37 | helm.sh/chart: {{ include "openshift-management.chart" . }} 38 | {{ include "openshift-management.selectorLabels" . }} 39 | {{- if .Chart.AppVersion }} 40 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 41 | {{- end }} 42 | app.kubernetes.io/managed-by: {{ .Release.Service }} 43 | {{- end }} 44 | 45 | {{/* 46 | Selector labels 47 | */}} 48 | {{- define "openshift-management.selectorLabels" -}} 49 | app.kubernetes.io/name: {{ include "openshift-management.name" . }} 50 | app.kubernetes.io/instance: {{ .Release.Name }} 51 | {{- end }} 52 | 53 | {{/* 54 | Create the name of the service account to use 55 | */}} 56 | {{- define "openshift-management.serviceAccountName" -}} 57 | {{- if .Values.serviceAccount.create }} 58 | {{- default (include "openshift-management.fullname" .) .Values.serviceAccount.name }} 59 | {{- else }} 60 | {{- default "default" .Values.serviceAccount.name }} 61 | {{- end }} 62 | {{- end }} 63 | -------------------------------------------------------------------------------- /charts/rosa-capi/values.yaml: -------------------------------------------------------------------------------- 1 | # Default values for rosa-capi. 2 | 3 | # Set the value to true if you need ArgoCd to be installed on the new cluster 4 | enableArgoCD: false 5 | 6 | # Set namespace where you want the cluster to be installed 7 | namespace: default 8 | 9 | # nameOverride: my-test-cluster 10 | fullnameOverride: my-test-cluster 11 | 12 | # Generate a token from https://console.redhat.com/openshift/token/rosa and paste it here 13 | # - alternatively supply it on the CLI with '--set ocmToken' 14 | #ocmToken: eyJhbGciOiJIUZzabDrsd...... 15 | 16 | # For the most cases, the OCM API URL doesn't need to be changed - but it's here in case you need to change it from the default 17 | #ocmApiUrl 18 | 19 | rosaControlPlane: 20 | awsRoles: 21 | # Replace with your targeted AWS account # 22 | # Replace the "ManagedOpenShift-HCO-ROSA..." part with what you used in your enviornment 23 | installerRoleARN: "arn:aws:iam:::role/ManagedOpenShift-HCP-ROSA-Installer-Role" 24 | supportRoleARN: "arn:aws:iam:::role/ManagedOpenShift-HCP-ROSA-Support-Role" 25 | workerRoleARN: "arn:aws:iam:::role/ManagedOpenShift-HCP-ROSA-Worker-Role" 26 | rolesRef: 27 | ingressARN: "arn:aws:iam:::role/rhpds-capi-1-openshift-ingress-operator-cloud-credentials" 28 | imageRegistryARN: "arn:aws:iam:::role/rhpds-capi-1-openshift-image-registry-installer-cloud-credential" 29 | storageARN: "arn:aws:iam:::role/rhpds-capi-1-openshift-cluster-csi-drivers-ebs-cloud-credentials" 30 | networkARN: "arn:aws:iam:::role/rhpds-capi-1-openshift-cloud-network-config-controller-cloud-cre" 31 | kubeCloudControllerARN: "arn:aws:iam:::role/rhpds-capi-1-kube-system-kube-controller-manager" 32 | nodePoolManagementARN: "arn:aws:iam:::role/rhpds-capi-1-kube-system-capa-controller-manager" 33 | controlPlaneOperatorARN: "arn:aws:iam:::role/rhpds-capi-1-kube-system-control-plane-operator" 34 | kmsProviderARN: "arn:aws:iam:::role/rhpds-capi-1-kube-system-kms-provider" 35 | 36 | availabilityZones: 37 | - "us-east-1a" 38 | - "us-east-1b" 39 | - "us-east-1c" 40 | 41 | billingAccount: 42 | 43 | # Set this to "private" or "public" 44 | # - remember to adjust subnets below accordingly 45 | endpointAccess: "public" 46 | 47 | # Supply the OIDC ID for your environment 48 | oidcID: 3a4bgjoe7d7shfngim18b740e7p81aof 49 | 50 | network: 51 | # Set networkType to "Other" to install no CNI 52 | #networkType: Other 53 | 54 | #prefix: 23 55 | 56 | #machineCIDR: “10.0.0.0/16”. 57 | podCIDR: "10.128.0.0/14" 58 | #serviceCIDR: "172.30.0.0/16" 59 | 60 | # For Public Clusters, the subnets come in pairs - one private and one public 61 | # For Private Clusters, only supply private subnets 62 | subnets: 63 | - subnet- 64 | - subnet- 65 | - subnet- 66 | - subnet- 67 | - subnet- 68 | - subnet- 69 | 70 | region: "us-east-1" 71 | version: "4.15.0" 72 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Declarative OpenShift 2 | 3 | ### Looking for old stuff? 4 | Are you looking for older content that used to exist here? If so, please check out the [v1.0.0 release](https://github.com/redhat-cop/declarative-openshift/releases/tag/v1.0.0). 5 | 6 | ## Overview 7 | This repository contains sets of example resources to be used with a [declarative management strategy](https://kubernetes.io/docs/tasks/manage-kubernetes-objects/declarative-config/). Please familiarize yourself with the terminology in that document before reading on. 8 | 9 | ## Kubernetes Cluster API 10 | Starting with the 2.x version of this repositry, the focus is on using [Cluster API](https://cluster-api.sigs.k8s.io/) paired with a varity of tools to support the full declarative approach for OpenShift Cluster provisioning / bootstrapping, upgrades and multi-cluster & multi-account management. 11 | 12 | ### CAPA - Cluster API Provider AWS 13 | For managing clusters hosted on AWS, including [Red Hat OpenShift on AWS (ROSA)](https://www.redhat.com/en/technologies/cloud-computing/openshift/aws), we utilize [CAPA](https://cluster-api-aws.sigs.k8s.io/) as it nicely integrates and works together with CAPI. 14 | 15 | ## OpenShift GitOps - ArgoCD 16 | [Red Hat OpenShift GitOps](https://www.redhat.com/en/technologies/cloud-computing/openshift/gitops) may now play a role in the entire lifecycle of a cluster, and the entire deployment. Not only can be it be used to manage the content of an operational OpenShift cluster, but it can also be used as part of a management cluster setup to manage the targeted clusters mananged with CAPI. 17 | 18 | ### ClusterResourceSet 19 | As part of bootstrapping a new environment, there is a need to inject new content to allow for connectivity and initial setups for connecting tooling to talk to the cluster. This can be achieved in multiple ways - including running OpenShift GitOps **in the cluster** for a full content management, or using [ClusterResourceSet](https://cluster-api.sigs.k8s.io/developer/architecture/controllers/cluster-resource-set.html) to manage a minimal set of content in the even that an external content management system is used (e.g.: running OpenShift GitOps at a centralized management cluster). 20 | 21 | ## Managing OpenShift Clusters 22 | 23 | ### Prerequisites 24 | Before applying any of the manifests to create a new cluster(s), the following prerequisites need to be met: 25 | - A valid AWS account with full admin access 26 | - A valid account for [Red Hat Hybrid Cloud Console](https://console.redhat.com/openshift/overview) 27 | - [Steps 1-3 here](https://docs.aws.amazon.com/rosa/latest/userguide/getting-started-hcp.html#getting-started-hcp-step-1) to create the necessary VPC configuration and account and operator roles. 28 | 29 | **_NOTE_**: _Steps 1-3 from above will soon be replaced with declarative content within this repo. More to come on this soon..._ 30 | 31 | ### Management Cluster 32 | In order to deploy a new OpenShift Cluster using CAPI, you will need a management cluster with the necessary CAPI and CAPA deployments in an operational state. 33 | 34 | To get started, install the following tools on your local machine: 35 | - [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html) 36 | - [clusterawsadm](https://github.com/kubernetes-sigs/cluster-api-provider-aws/releases) CLI tool 37 | - [clusterctl](https://cluster-api.sigs.k8s.io/user/quick-start.html#install-clusterctl) CLI tool 38 | - kubectl and/or oc CLI tool 39 | - [helm](https://helm.sh/docs/intro/quickstart/#install-helm) 40 | 41 | Run the following commands to prepare the environment and management cluster: 42 | ``` 43 | export KUBECONFIG=... 44 | export AWS_REGION=... 45 | export AWS_ACCESS_KEY_ID=... 46 | export AWS_SECRET_ACCESS_KEY=... 47 | export AWS_SESSION_TOKEN=... # (optional) 48 | export AWS_B64ENCODED_CREDENTIALS=$(clusterawsadm bootstrap credentials encode-as-profile) 49 | export EXP_ROSA="true" 50 | export EXP_MACHINE_POOL="true" 51 | clusterctl init --infrastructure aws 52 | ``` 53 | 54 | Apply customizations provided by this repo: 55 | 56 | **_Optional_**: This step is needed if your mangement cluster is an OpenShift Cluster 57 | 58 | ``` 59 | helm template --release-name rosa-hcp charts/openshift-management | oc apply -f - 60 | ``` 61 | 62 | Make sure the CAPI pods are operational before running the next apply.
63 | This can be done by checking the output of the following commands: 64 | 65 | ``` 66 | oc get pods -n capi-system 67 | oc get pods -n capa-system 68 | oc get pods -n capi-kubeadm-bootstrap-system 69 | oc get pods -n capi-kubeadm-control-plane-system 70 | ``` 71 | 72 | Apply CAPI specific configurations needed to support the upcoming workloads: 73 | 74 | ``` 75 | helm template charts/capi-management | oc apply -f - 76 | ``` 77 | 78 | 79 | Run the following command to validate that everything is set up correctly, and ready for your first ROSA HCP cluster deployment with CAPI (all commands should return output containing the values in the grep part of the command): 80 | 81 | ``` 82 | oc get crd | grep rosa 83 | oc get deployment -n capa-system capa-controller-manager -o yaml | grep ROSA=true 84 | oc get deploy capi-controller-manager -n capi-system -o yaml | grep MachinePool=true 85 | ``` 86 | 87 | 88 | ### Quickstart - Simple CAPI / CAPA 89 | 90 | #### Install 91 | With the above steps from the Management Cluster done, it is now time to deploy the first (workload) cluster. For this first simple quickstart, that is done in two steps: 92 | 93 | 1. Tweak the values in [charts/rosa-capi/values.yaml](charts/rosa-capi/values.yaml) 94 | 2. run `helm template --release-name rosa-hcp --set ocmToken=jSDFsdfsdfSDF charts/rosa-capi | oc apply -f -` 95 | 96 | **_NOTE:_** Replace the `rosa-hcp` release name and OCM Token above with your own values - alternatively set your OCM Token in the values file. The OCM Token can be fetched from https://console.redhat.com/openshift/token/rosa. 97 | 98 | #### Validation steps 99 | Check the status of the the `ROSAControlPlane` deployment: 100 | 101 | ``` 102 | oc get rosacontrolplane 103 | ``` 104 | 105 | Once the cluster shows state "READY" as "true", the cluster is available to access. Extract the kubeconfig and use it access the cluster: 106 | 107 | ``` 108 | oc get secrets -kubeconfig -o jsonpath='{.data.value}' | base64 -d > /tmp/rosa-capi.kubeconfig 109 | export KUBECONFIG=/tmp/rosa-capi.kubeconfig 110 | oc get nodes 111 | ``` 112 | 113 | #### Troubleshooting 114 | 115 | **_coming soon..._** 116 | -------------------------------------------------------------------------------- /charts/rosa-capi/templates/openshift-gitops.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.enableArgoCD }} 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: openshift-gitops 6 | namespace: {{ default "default" .Values.namespace }} 7 | data: 8 | argocd.yaml: |- 9 | apiVersion: rbac.authorization.k8s.io/v1 10 | kind: ClusterRole 11 | metadata: 12 | labels: 13 | app.kubernetes.io/component: application-controller 14 | app.kubernetes.io/name: argocd-application-controller 15 | app.kubernetes.io/part-of: openshift-gitops 16 | name: argocd-application-controller 17 | rules: 18 | - apiGroups: 19 | - '*' 20 | resources: 21 | - '*' 22 | verbs: 23 | - '*' 24 | - nonResourceURLs: 25 | - '*' 26 | verbs: 27 | - '*' 28 | --- 29 | apiVersion: rbac.authorization.k8s.io/v1 30 | kind: ClusterRole 31 | metadata: 32 | labels: 33 | app.kubernetes.io/component: argocd-server 34 | app.kubernetes.io/name: gitops-argocd-server 35 | app.kubernetes.io/part-of: openshift-gitops 36 | name: gitops-argocd-server 37 | rules: 38 | - apiGroups: 39 | - '*' 40 | resources: 41 | - '*' 42 | verbs: 43 | - delete # supports deletion a live object in UI 44 | - get # supports viewing live object manifest in UI 45 | - patch # supports `argocd app patch` 46 | - apiGroups: 47 | - "" 48 | resources: 49 | - events 50 | verbs: 51 | - list # supports listing events in UI 52 | - apiGroups: 53 | - "" 54 | resources: 55 | - pods 56 | - pods/log 57 | verbs: 58 | - get # supports viewing pod logs from UI 59 | --- 60 | apiVersion: rbac.authorization.k8s.io/v1 61 | kind: ClusterRoleBinding 62 | metadata: 63 | labels: 64 | app.kubernetes.io/component: application-controller 65 | app.kubernetes.io/name: argocd-application-controller 66 | app.kubernetes.io/part-of: openshift-gitops 67 | name: argocd-application-controller 68 | roleRef: 69 | apiGroup: rbac.authorization.k8s.io 70 | kind: ClusterRole 71 | name: argocd-application-controller 72 | subjects: 73 | - kind: ServiceAccount 74 | name: argocd-argocd-application-controller 75 | namespace: openshift-gitops 76 | --- 77 | apiVersion: rbac.authorization.k8s.io/v1 78 | kind: ClusterRoleBinding 79 | metadata: 80 | labels: 81 | app.kubernetes.io/component: argocd-server 82 | app.kubernetes.io/name: argocd-server 83 | app.kubernetes.io/part-of: openshift-gitops 84 | name: argocd-server 85 | roleRef: 86 | apiGroup: rbac.authorization.k8s.io 87 | kind: ClusterRole 88 | name: gitops-argocd-server 89 | subjects: 90 | - kind: ServiceAccount 91 | name: argocd-argocd-server 92 | namespace: openshift-gitops 93 | --- 94 | apiVersion: operators.coreos.com/v1alpha1 95 | kind: Subscription 96 | metadata: 97 | name: openshift-gitops-operator 98 | namespace: openshift-operators 99 | spec: 100 | channel: latest 101 | installPlanApproval: Automatic 102 | name: openshift-gitops-operator 103 | source: "redhat-operators" 104 | sourceNamespace: "openshift-marketplace" 105 | config: 106 | env: 107 | - name: DISABLE_DEFAULT_ARGOCD_INSTANCE 108 | value: "true" 109 | - name: ARGOCD_CLUSTER_CONFIG_NAMESPACES 110 | value: "openshift-gitops" 111 | --- 112 | # Source: gitops-operator/templates/crd-reader.yaml 113 | apiVersion: rbac.authorization.k8s.io/v1 114 | kind: ClusterRole 115 | metadata: 116 | name: crd-reader 117 | rules: 118 | - apiGroups: 119 | - apiextensions.k8s.io 120 | resources: 121 | - 'customresourcedefinitions' 122 | verbs: 123 | - get 124 | - list 125 | --- 126 | # Source: gitops-operator/templates/crd-reader.yaml 127 | apiVersion: rbac.authorization.k8s.io/v1 128 | kind: ClusterRoleBinding 129 | metadata: 130 | name: crd-reader-binding 131 | roleRef: 132 | apiGroup: rbac.authorization.k8s.io 133 | kind: ClusterRole 134 | name: crd-reader 135 | subjects: 136 | - kind: ServiceAccount 137 | name: default 138 | namespace: openshift-gitops 139 | --- 140 | # Source: gitops-operator/templates/wait-for-crd.yaml 141 | apiVersion: v1 142 | kind: Pod 143 | metadata: 144 | name: cluster-check 145 | namespace: openshift-gitops 146 | spec: 147 | containers: 148 | - name: crd-check 149 | image: quay.io/openshift/origin-cli:latest 150 | imagePullPolicy: IfNotPresent 151 | command: ['sh', '-c', 'while [ true ]; do oc get crd argocds.argoproj.io applications.argoproj.io appprojects.argoproj.io; if [ $? -eq 0 ]; then break; fi ; sleep 5s; done'] 152 | restartPolicy: Never 153 | terminationGracePeriodSeconds: 0 154 | serviceAccount: default 155 | serviceAccountName: default 156 | --- 157 | # Source: gitops-operator/templates/argocd-cr.yaml 158 | apiVersion: argoproj.io/v1alpha1 159 | kind: AppProject 160 | metadata: 161 | name: default 162 | annotations: 163 | "helm.sh/hook": post-install,post-upgrade 164 | "helm.sh/hook-weight": "25" 165 | namespace: openshift-gitops 166 | spec: 167 | clusterResourceWhitelist: 168 | - group: '*' 169 | kind: '*' 170 | destinations: 171 | - namespace: '*' 172 | server: '*' 173 | sourceRepos: 174 | - '*' 175 | status: {} 176 | --- 177 | # Source: gitops-operator/templates/argocd-cr.yaml 178 | apiVersion: argoproj.io/v1beta1 179 | kind: ArgoCD 180 | metadata: 181 | name: argocd 182 | labels: 183 | app: argocd 184 | namespace: openshift-gitops 185 | spec: 186 | applicationInstanceLabelKey: rht-gitops.com/openshift-gitops 187 | applicationSet: {} 188 | notifications: 189 | enabled: true 190 | rbac: 191 | defaultPolicy: role:admin 192 | policy: | 193 | g, system:cluster-admins, role:admin 194 | scopes: '[groups]' 195 | repositoryCredentials: null 196 | resourceExclusions: | 197 | - apiGroups: 198 | - tekton.dev 199 | clusters: 200 | - '*' 201 | kinds: 202 | - TaskRun 203 | - PipelineRun 204 | server: 205 | ingress: 206 | enabled: false 207 | route: 208 | enabled: true 209 | tls: 210 | termination: reencrypt 211 | sso: 212 | dex: 213 | openShiftOAuth: true 214 | provider: dex 215 | {{- end }} --------------------------------------------------------------------------------