├── .github └── workflows │ ├── tl500-publish-latest.yml │ ├── tl500-release.yml │ ├── tl500-stack-image-pr.yaml │ └── tl500-stack-image-publish.yaml ├── .gitignore ├── README.md ├── codereadyworkspaces ├── stack │ ├── Dockerfile │ ├── VERSION │ └── root │ │ └── usr │ │ └── local │ │ └── bin │ │ ├── entrypoint.sh │ │ └── user-functions.sh ├── tl112-devfile.yaml ├── tl500-devfile-v2.yaml └── tl500-devfile.yaml ├── helm-release.yaml └── tooling ├── .gitignore ├── README.md └── charts ├── tl500-base ├── Chart.yaml ├── templates │ ├── _helpers.tpl │ ├── gitlab │ │ ├── anyuid-scc.yaml │ │ ├── deployments.yaml │ │ ├── imagestreams.yaml │ │ ├── routes.yaml │ │ ├── secrets.yaml │ │ ├── serviceaccounts.yaml │ │ ├── services.yaml │ │ └── volumeclaims.yaml │ ├── logging │ │ └── namespace.yaml │ ├── machineset-infra.yaml │ ├── minio │ │ ├── create-bucket-job.yaml │ │ ├── deployment.yaml │ │ ├── pvc.yaml │ │ ├── secret.yaml │ │ └── service.yaml │ ├── namespace.yaml │ ├── operators │ │ ├── operatorgroup.yaml │ │ └── subscription.yaml │ ├── registry │ │ ├── config-imageregistry.yaml │ │ └── rbac.yaml │ ├── tl500-rbac.yaml │ └── user-workload-monitoring │ │ └── configmap.yaml └── values.yaml └── tl500-course-content ├── Chart.yaml ├── templates ├── _helpers.tpl ├── crd-reader.yaml ├── crw │ ├── ca-configmap.yaml │ └── crw.yaml ├── docs │ ├── configmap.yaml │ ├── deploy.yaml │ ├── routes.yaml │ └── service.yaml ├── image-puller.yaml ├── logging │ ├── clusterlogforwarder.yaml │ ├── clusterolebinding.yaml │ ├── lokistack.yaml │ ├── secret.yaml │ ├── serviceaccount.yaml │ └── uipplugin.yaml ├── stackrox │ ├── configure-stackrox-job.yaml │ └── configure-stackrox-rbac.yaml └── wait-for-crd.yaml └── values.yaml /.github/workflows/tl500-publish-latest.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: Publish latest TL500 Helm Charts 3 | 4 | on: 5 | push: 6 | branches: 7 | - main 8 | tags: 9 | - '*' 10 | paths: 11 | - 'tooling/charts/tl500-course-content/**' 12 | - 'tooling/charts/tl500-base/**' 13 | 14 | jobs: 15 | publish-latest: 16 | runs-on: ubuntu-latest 17 | steps: 18 | - name: Checkout 19 | uses: actions/checkout@v2 20 | 21 | - name: Update publish description for TL500-Base Helm Charts 22 | uses: mikefarah/yq@v4.9.6 23 | with: 24 | cmd: > 25 | yq e -i '.description = "${{ github.sha }}"' tooling/charts/tl500-base/Chart.yaml 26 | 27 | - name: Update publish description for TL500-Course-Content Helm Charts 28 | uses: mikefarah/yq@v4.9.6 29 | with: 30 | cmd: > 31 | yq e -i '.description = "${{ github.sha }}"' tooling/charts/tl500-course-content/Chart.yaml 32 | 33 | - name: Update publish version for TL500-Base Helm Chart 34 | uses: mikefarah/yq@v4.9.6 35 | with: 36 | cmd: > 37 | yq e -i '.version = v99.99.99' tooling/charts/tl500-base/Chart.yaml 38 | 39 | - name: Update publish version for TL500-Course-Content Helm Chart 40 | uses: mikefarah/yq@v4.9.6 41 | with: 42 | cmd: > 43 | yq e -i '.version = v99.99.99' tooling/charts/tl500-course-content/Chart.yaml 44 | 45 | - name: Install Helm dependencies and Package Charts TL500-base 46 | run: | 47 | helm dependency update tooling/charts/tl500-base 48 | helm package tooling/charts/tl500-base -d /tmp/charts 49 | 50 | - name: Install Helm dependencies and Package Charts TL500-course-content 51 | run: | 52 | helm dependency update tooling/charts/tl500-course-content 53 | helm package tooling/charts/tl500-course-content -d /tmp/charts 54 | 55 | - name: Checkout gh-pages 56 | uses: actions/checkout@v2 57 | with: 58 | ref: 'gh-pages' 59 | 60 | - name: Bring over the new Charts 61 | run: | 62 | mv /tmp/charts/tl500-*.tgz . 63 | 64 | - name: Index the Helm Charts 65 | run: | 66 | helm repo index --url https://rht-labs.com/enablement-framework . 67 | 68 | - name: Publish the updated Charts 69 | run: | 70 | git config user.name "$GITHUB_ACTOR" 71 | git config user.email "$GITHUB_ACTOR@users.noreply.github.com" 72 | git add . 73 | git commit -m "Updated latest charts ${{ github.ref_name }}" 74 | git push 75 | 76 | -------------------------------------------------------------------------------- /.github/workflows/tl500-release.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | name: Release Helm Charts 4 | 5 | on: 6 | release: 7 | types: 8 | - created 9 | jobs: 10 | release: 11 | runs-on: ubuntu-latest 12 | steps: 13 | - name: Checkout 14 | uses: actions/checkout@v2 15 | 16 | - name: Update release version for TL500-Base Helm Chart 17 | uses: mikefarah/yq@v4.9.6 18 | with: 19 | cmd: > 20 | yq e -i '.version = "${{ github.ref_name }}"' tooling/charts/tl500-base/Chart.yaml 21 | 22 | - name: Update release version for TL500-Course-Content Helm Chart 23 | uses: mikefarah/yq@v4.9.6 24 | with: 25 | cmd: > 26 | yq e -i '.version = "${{ github.ref_name }}"' tooling/charts/tl500-course-content/Chart.yaml 27 | 28 | - name: Add Git commit id to tl500-base chart description 29 | uses: mikefarah/yq@v4.9.6 30 | with: 31 | cmd: > 32 | yq e -i '.description = "${{ github.sha }}"' tooling/charts/tl500-base/Chart.yaml 33 | 34 | - name: Add Git commit id to tl500-course-content chart description 35 | uses: mikefarah/yq@v4.9.6 36 | with: 37 | cmd: > 38 | yq e -i '.description = "${{ github.sha }}"' tooling/charts/tl500-course-content/Chart.yaml 39 | 40 | - name: Install Helm dependencies and Package Charts TL500-base 41 | run: | 42 | helm dependency update tooling/charts/tl500-base 43 | helm package tooling/charts/tl500-base -d /tmp/charts 44 | 45 | - name: Install Helm dependencies and Package Charts TL500-course-content 46 | run: | 47 | helm dependency update tooling/charts/tl500-course-content 48 | helm package tooling/charts/tl500-course-content -d /tmp/charts 49 | 50 | - name: Checkout gh-pages 51 | uses: actions/checkout@v2 52 | with: 53 | ref: 'gh-pages' 54 | 55 | - name: Bring over the new Charts 56 | run: | 57 | mv /tmp/charts/tl500-*.tgz . 58 | 59 | - name: Index the Helm Charts 60 | run: | 61 | helm repo index --url https://rht-labs.com/enablement-framework . 62 | 63 | - name: Publish the updated Charts 64 | run: | 65 | git config user.name "$GITHUB_ACTOR" 66 | git config user.email "$GITHUB_ACTOR@users.noreply.github.com" 67 | git add . 68 | git commit -m "Updated release charts ${{ github.ref_name }}" 69 | git push 70 | 71 | -------------------------------------------------------------------------------- /.github/workflows/tl500-stack-image-pr.yaml: -------------------------------------------------------------------------------- 1 | name: tl500-stack-image-pr 2 | on: 3 | pull_request: 4 | paths: 5 | - codereadyworkspaces/stack/** 6 | - .github/workflows/tl500-stack-image-pr.yaml 7 | jobs: 8 | build: 9 | runs-on: ubuntu-20.04 10 | env: 11 | context: codereadyworkspaces/stack 12 | image_name: stack-tl500 13 | steps: 14 | - uses: actions/checkout@v1 15 | - name: Get image tags 16 | id: image_tags 17 | run: | 18 | echo -n ::set-output name=IMAGE_TAGS:: 19 | # exposes variable VERSION 20 | source ${context}/VERSION 21 | echo ${VERSION} 22 | - name: Build image 23 | uses: redhat-actions/buildah-build@v2.6 24 | with: 25 | context: ${{ env.context }} 26 | dockerfiles: | 27 | ./${{ env.context }}/Dockerfile 28 | image: ${{ env.image_name }} 29 | oci: true 30 | tags: ${{ steps.image_tags.outputs.IMAGE_TAGS }} 31 | - name: Test image to check the version of CLIs 32 | run: | 33 | export `podman run ${{ env.image_name }}:${{ steps.image_tags.outputs.IMAGE_TAGS }} env | grep _VERSION` 34 | echo "Running: podman run ${{ env.image_name }}:${{ steps.image_tags.outputs.IMAGE_TAGS }} to check CLIs version" 35 | echo "⚓️check helm version" 36 | podman run ${{ env.image_name }}:${{ steps.image_tags.outputs.IMAGE_TAGS }} helm version | grep $HELM_VERSION 37 | echo "🦭check kubeseal --version" 38 | podman run ${{ env.image_name }}:${{ steps.image_tags.outputs.IMAGE_TAGS }} kubeseal --version | grep $KUBESEAL_VERSION 39 | echo "🐙check argocd version" 40 | podman run ${{ env.image_name }}:${{ steps.image_tags.outputs.IMAGE_TAGS }} argocd version | grep $ARGOCD_VERSION 41 | echo "🌲check conftest --version" 42 | podman run ${{ env.image_name }}:${{ steps.image_tags.outputs.IMAGE_TAGS }} conftest --version | grep $CONFTEST_VERSION 43 | echo "🦨check yq --version" 44 | podman run ${{ env.image_name }}:${{ steps.image_tags.outputs.IMAGE_TAGS }} yq --version | grep $YQ_VERSION 45 | echo "🦨check jq --version" 46 | podman run ${{ env.image_name }}:${{ steps.image_tags.outputs.IMAGE_TAGS }} jq --version | grep $JQ_VERSION 47 | echo "🦨check syft --version" 48 | podman run ${{ env.image_name }}:${{ steps.image_tags.outputs.IMAGE_TAGS }} syft --version | grep $SYFT_VERSION -------------------------------------------------------------------------------- /.github/workflows/tl500-stack-image-publish.yaml: -------------------------------------------------------------------------------- 1 | name: tl500-stack-image-publish 2 | on: 3 | push: 4 | branches: 5 | - main 6 | tags: 7 | - '*' 8 | paths: 9 | - codereadyworkspaces/stack/VERSION 10 | - .github/workflows/tl500-stack-image-publish.yaml 11 | jobs: 12 | build: 13 | env: 14 | context: codereadyworkspaces/stack 15 | image_name: stack-tl500 16 | runs-on: ubuntu-20.04 17 | steps: 18 | - uses: actions/checkout@v1 19 | - name: Get image tags 20 | id: image_tags 21 | run: | 22 | echo -n ::set-output name=IMAGE_TAGS:: 23 | # exposes variable VERSION 24 | source ${context}/VERSION 25 | TAGS=('latest') 26 | if [ "${VERSION}" ] && [ "${VERSION}" != "latest" ]; then 27 | TAGS+=("${VERSION}") 28 | fi 29 | echo "${TAGS[*]}" 30 | - name: Build image 31 | id: build_image 32 | uses: redhat-actions/buildah-build@v2.6 33 | with: 34 | context: ${{ env.context }} 35 | dockerfiles: | 36 | ./${{ env.context }}/Dockerfile 37 | image: ${{ env.image_name }} 38 | tags: "${{ steps.image_tags.outputs.IMAGE_TAGS }}" 39 | - name: Push to Quay 40 | id: push_to_quay 41 | uses: redhat-actions/push-to-registry@v2 42 | with: 43 | image: ${{ steps.build_image.outputs.image }} 44 | registry: ${{ secrets.REGISTRY_URI }}/${{ secrets.REGISTRY_REPOSITORY }} 45 | username: ${{ secrets.REGISTRY_USERNAME }} 46 | password: ${{ secrets.REGISTRY_PASSWORD }} 47 | tags: ${{ steps.build_image.outputs.tags }} -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | *.tgz 2 | *.lock 3 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # enablement-framework 2 | 3 | This repository contains the components needed to run a TL500 enablement session: 4 | - [Tooling](tooling) - The required tools to deploy once a cluster is available, see [tooling/README.md](tooling/README.md) 5 | 6 | ## Helm Releases 7 | - [Helm Releases](http://rht-labs.com/enablement-framework) - The above tooling made available as Helm Releases 8 | 9 | ## OCP Setup 10 | 11 | To install the above tooling, you need a specific OCP setup, with an LDAP installed: 12 | 13 | 1. get a running OCP 4.18 cluster with sufficient resources 14 | - Requirements 15 | - 3 control plane nodes with 16 | - 16 GB Memory 17 | - 4 CPU Cores 18 | - 120 GB FS storage (less might be sufficient) 19 | - 3 worker nodes with 20 | - 64 GB Memory 21 | - 16 CPU Cores 22 | - 120 GB FS storage (less might be sufficient) 23 | - If you have access to the [Red Hat Demo Platform](https://catalog.demo.redhat.com/catalog), you can do the following to achieve this setup: 24 | 1. order an [AWS Blank Open Environment](https://catalog.demo.redhat.com/catalog?item=babylon-catalog-prod/sandboxes-gpte.sandbox-open.prod&utm_source=webapp&utm_medium=share-link) 25 | 2. install Openshift 4.18 (e.g. using [https://gitlab.consulting.redhat.com/acidonpe/ocp-install-openenv-aws](https://gitlab.consulting.redhat.com/acidonpe/ocp-install-openenv-aws)) 26 | - ```computes_type='m5.4xlarge'``` 27 | - ```master_sno_type='m6i.4xlarge'``` 28 | 2. Install LDAP and create users 29 | 1. follow steps described in [https://rht-labs.com/tech-exercise/#/99-the-rise-of-the-cluster/1-tooling-installation?id=user-management](https://rht-labs.com/tech-exercise/#/99-the-rise-of-the-cluster/1-tooling-installation?id=user-management) 30 | 2. in OCP 31 | - modify OAuth yaml ( ```https:///k8s/cluster/config.openshift.io~v1~OAuth/cluster``` ) to use bind-dn ```admin``` 32 | - modify respective secret (referenced from OAuth yaml above) to use bind-password ```Passw0rd123``` 33 | - add user group ```student``` ( ```https:///k8s/cluster/user.openshift.io~v1~Group/~new``` ) 34 | 3. install [TL500-base chart](enablement-framework/tooling/charts/tl500-base/Chart.yaml) (located in [tooling](tooling)) 35 | 4. Test all the things using one of the following 36 | - [https://rht-labs.com/tech-exercise/#/1-the-manual-menace/](https://rht-labs.com/tech-exercise/#/1-the-manual-menace/) (web page) 37 | - [https://github.com/rht-labs/tech-exercise](https://github.com/rht-labs/tech-exercise) (source code) -------------------------------------------------------------------------------- /codereadyworkspaces/stack/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM registry.access.redhat.com/ubi9/ubi:9.1 2 | 3 | USER root 4 | 5 | # rht-labs stuff 6 | ENV ARGOCD_VERSION=2.7.1 \ 7 | YQ_VERSION=4.23.1 \ 8 | HELM_VERSION=3.11.2 \ 9 | KUBESEAL_VERSION=0.20.5 \ 10 | OC_VERSION=4.12.14 \ 11 | TEKTON_VERSION=1.10.0 \ 12 | JQ_VERSION=1.6 \ 13 | CONFTEST_VERSION=0.41.0 \ 14 | ROX_VERSION=3.74.3 \ 15 | KUBELINTER_VERSION=0.6.3 \ 16 | COSIGN_VERSION=2.2.3 \ 17 | K6_VERSION=0.44.0 \ 18 | JSONNET_VERSION=0.20.0 \ 19 | SYFT_VERSION=0.82.0 20 | 21 | ENV JAVA_HOME=/usr/lib/jvm/java-17-openjdk \ 22 | PATH=$HOME/node_modules/.bin/:$HOME/.npm-global/bin/:/opt/app-root/src/.npm-global/bin/:/usr/lib/jvm/java-17-openjdk/bin:/usr/bin:$HOME/go/bin:$PATH \ 23 | MAVEN_URL=https://archive.apache.org/dist/maven/maven-3/3.9.1/binaries/apache-maven-3.9.1-bin.tar.gz \ 24 | HOME=/home/developer \ 25 | PROJECTS=/projects \ 26 | MAVEN_CONFIG=/projects/.m2 27 | 28 | RUN dnf -y install \ 29 | bash tar gzip unzip which findutils wget git procps-ng python3-pip bzip2 java-17-openjdk java-17-openjdk-devel java-17-openjdk-headless nodejs npm nodejs-nodemon nss_wrapper zsh iputils bind-utils net-tools go-toolset openssl && \ 30 | dnf -y -q clean all && rm -rf /var/cache/yum && \ 31 | pip3 install pylint && \ 32 | mkdir -p ${HOME} ${PROJECTS} /usr/share/maven && \ 33 | curl -fsSL ${MAVEN_URL} | tar -xzC /usr/share/maven --strip-components=1 && \ 34 | ln -s /usr/share/maven/bin/mvn /usr/bin/mvn && \ 35 | ln -s /usr/bin/node /usr/bin/nodejs 36 | 37 | # argo 38 | RUN curl -sL https://github.com/argoproj/argo-cd/releases/download/v${ARGOCD_VERSION}/argocd-linux-amd64 -o /usr/local/bin/argocd && \ 39 | chmod -R 775 /usr/local/bin/argocd && \ 40 | echo "🐙🐙🐙🐙🐙" 41 | 42 | # kubeseal 43 | RUN curl -sL https://github.com/bitnami-labs/sealed-secrets/releases/download/v${KUBESEAL_VERSION}/kubeseal-${KUBESEAL_VERSION}-linux-amd64.tar.gz | tar --no-same-owner -xzf - -C /usr/local/bin kubeseal && \ 44 | chmod -R 755 /usr/local/bin/kubeseal && \ 45 | echo "🦭🦭🦭🦭🦭" 46 | 47 | # tekton 48 | RUN curl -sL https://mirror.openshift.com/pub/openshift-v4/clients/pipeline/${TEKTON_VERSION}/tkn-linux-amd64.tar.gz | tar --no-same-owner -xzf - -C /usr/local/bin tkn && \ 49 | chmod -R 755 /usr/local/bin/tkn && \ 50 | echo "🐈🐈🐈🐈🐈" 51 | 52 | # oc client 53 | RUN rm -f /usr/bin/oc && \ 54 | curl -sL https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/ocp/${OC_VERSION}/openshift-client-linux.tar.gz | tar -C /usr/local/bin -xzf - && \ 55 | echo "🐨🐨🐨🐨🐨" 56 | 57 | # roxctl client 58 | RUN curl -sL -o /usr/local/bin/roxctl https://mirror.openshift.com/pub/rhacs/assets/${ROX_VERSION}/bin/Linux/roxctl && \ 59 | chmod +x /usr/local/bin/roxctl && \ 60 | echo "🦜🦜🦜🦜🦜" 61 | 62 | # kube-linter 63 | RUN curl -sL https://github.com/stackrox/kube-linter/releases/download/v${KUBELINTER_VERSION}/kube-linter-linux.tar.gz | tar -C /usr/local/bin -xzf - && \ 64 | chmod +x /usr/local/bin/kube-linter && \ 65 | echo "🐐🐐🐐🐐🐐" 66 | 67 | # jq / yq 68 | RUN curl -sLo /usr/local/bin/jq https://github.com/stedolan/jq/releases/download/jq-${JQ_VERSION}/jq-linux64 && \ 69 | chmod +x /usr/local/bin/jq && \ 70 | curl -sLo /usr/local/bin/yq https://github.com/mikefarah/yq/releases/download/v${YQ_VERSION}/yq_linux_amd64 && \ 71 | chmod +x /usr/local/bin/yq && \ 72 | echo "🦨🦨🦨🦨🦨" 73 | 74 | # Conftest? This will make Gareth Happy :P 75 | RUN curl --fail -skL https://github.com/open-policy-agent/conftest/releases/download/v${CONFTEST_VERSION}/conftest_${CONFTEST_VERSION}_Linux_x86_64.tar.gz | tar zxf - -C /usr/local/bin conftest && \ 76 | echo "🌲🌲🌲🌲🌲" 77 | 78 | # helm 79 | RUN curl -skL -o /tmp/helm.tar.gz https://get.helm.sh/helm-v${HELM_VERSION}-linux-amd64.tar.gz && \ 80 | tar -C /tmp -xzf /tmp/helm.tar.gz && \ 81 | mv -v /tmp/linux-amd64/helm /usr/local/bin && \ 82 | chmod -R 775 /usr/local/bin/helm && \ 83 | rm -rf /tmp/linux-amd64 && \ 84 | echo "⚓️⚓️⚓️⚓️⚓️" 85 | 86 | # cosign 87 | RUN curl -skL -o /usr/local/bin/cosign https://github.com/sigstore/cosign/releases/download/v${COSIGN_VERSION}/cosign-linux-amd64 && \ 88 | chmod -R 775 /usr/local/bin/cosign && \ 89 | echo "🔒🔒🔒🔒" 90 | 91 | # syft 92 | RUN curl -sSfL https://raw.githubusercontent.com/anchore/syft/v${SYFT_VERSION}/install.sh | sh -s -- -b /usr/local/bin && \ 93 | echo "🛼🛼🛼" 94 | 95 | # hey 96 | RUN curl -skL -o /usr/local/bin/hey https://hey-release.s3.us-east-2.amazonaws.com/hey_linux_amd64 && \ 97 | chmod 775 /usr/local/bin/hey && \ 98 | echo "👋👋👋" 99 | 100 | # k6 101 | RUN curl -skL https://github.com/grafana/k6/releases/download/v${K6_VERSION}/k6-v${K6_VERSION}-linux-amd64.tar.gz | tar zxf - -C /usr/local/bin --strip-components=1 k6-v${K6_VERSION}-linux-amd64/k6 && \ 102 | chmod 775 /usr/local/bin/k6 && \ 103 | echo "🐶🐶🐶" 104 | 105 | # docsify-cli 106 | RUN npm i -g docsify-cli && \ 107 | echo "📚📚📚📚📚" 108 | 109 | # oh-my-zsh 110 | RUN git clone https://github.com/robbyrussell/oh-my-zsh.git $HOME/.oh-my-zsh && \ 111 | cp $HOME/.oh-my-zsh/templates/zshrc.zsh-template $HOME/.zshrc && \ 112 | chmod 660 $HOME/.zshrc && \ 113 | sed -i '1iZSH_DISABLE_COMPFIX=true' $HOME/.zshrc && \ 114 | sed -i '/^# DISABLE_MAGIC_FUNCTIONS.*/s/^#//' $HOME/.zshrc && \ 115 | echo "setopt PROMPT_CR" >> $HOME/.zshrc && \ 116 | echo "setopt PROMPT_SP" >> $HOME/.zshrc && \ 117 | echo "export PROMPT_EOL_MARK=\"\"" >> $HOME/.zshrc && \ 118 | echo "😎😎😎😎😎" 119 | 120 | # sort out git 121 | RUN echo "git config --global http.sslVerify false" | tee -a /etc/bashrc -a /etc/zshrc && \ 122 | echo "git config --global user.name 'Derek Dinosaur'" | tee -a /etc/bashrc -a /etc/zshrc&& \ 123 | echo "git config --global user.email 'derek@dinosaur.com'" | tee -a /etc/bashrc -a /etc/zshrc && \ 124 | echo "git config --global credential.helper 'cache --timeout=172800'" | tee -a /etc/bashrc -a /etc/zshrc && \ 125 | echo "git config --global pull.rebase 'false'" | tee -a /etc/bashrc -a /etc/zshrc && \ 126 | echo "git config --global push.default 'simple'" | tee -a /etc/bashrc -a /etc/zshrc && \ 127 | echo "🤗🤗🤗🤗🤗" 128 | 129 | # needed for DevSpaces nodejs agent version for now, not in ubi - libcrypto.so.1.1 130 | RUN dnf install -y https://rpmfind.net/linux/fedora/linux/releases/37/Everything/x86_64/os/Packages/o/openssl1.1-1.1.1q-2.fc37.x86_64.rpm && \ 131 | dnf -y -q clean all && rm -rf /var/cache/yum 132 | 133 | # custom user functions 134 | RUN echo "source /usr/local/bin/user-functions.sh" | tee -a /etc/bashrc -a /etc/zshrc 135 | 136 | # create user && clean up 137 | RUN rm -rf /tmp/* && \ 138 | useradd -u 1000 -G wheel,root -d /home/developer --shell /bin/zsh -M developer && \ 139 | for f in "${HOME}" "/etc/passwd" "/etc/group" "/projects" "${HOME}/.cache"; do \ 140 | chgrp -R 0 ${f} && \ 141 | chmod -R g+rwX ${f}; \ 142 | done && \ 143 | echo "🧹🧹🧹🧹🧹" && \ 144 | cat /etc/passwd | \ 145 | sed s#developer:x.*#developer:x:\${USER_ID}:\${GROUP_ID}::\${HOME}:/bin/zsh#g \ 146 | > ${HOME}/passwd.template && \ 147 | cat /etc/group | \ 148 | sed s#root:x:0:#root:x:0:0,\${USER_ID}:#g \ 149 | > ${HOME}/group.template && \ 150 | echo "🐟🐟🐟🐟🐟" 151 | 152 | # Prepare entrypoint 153 | COPY root / 154 | 155 | # runtime 156 | USER developer 157 | ENTRYPOINT [ "/usr/local/bin/entrypoint.sh" ] 158 | WORKDIR /projects 159 | -------------------------------------------------------------------------------- /codereadyworkspaces/stack/VERSION: -------------------------------------------------------------------------------- 1 | VERSION=3.0.19 2 | -------------------------------------------------------------------------------- /codereadyworkspaces/stack/root/usr/local/bin/entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -e 4 | 5 | export USER_ID=$(id -u) 6 | export GROUP_ID=$(id -g) 7 | 8 | if ! whoami &>/dev/null; then 9 | # current user is an arbitrary 10 | # user (its uid is not in the 11 | # container /etc/passwd). Let's fix that 12 | cat ${HOME}/passwd.template | \ 13 | sed "s/\${USER_ID}/${USER_ID}/g" | \ 14 | sed "s/\${GROUP_ID}/${GROUP_ID}/g" | \ 15 | sed "s/\${HOME}/\/home\/developer/g" > /etc/passwd 16 | 17 | cat ${HOME}/group.template | \ 18 | sed "s/\${USER_ID}/${USER_ID}/g" | \ 19 | sed "s/\${GROUP_ID}/${GROUP_ID}/g" | \ 20 | sed "s/\${HOME}/\/home\/developer/g" > /etc/group 21 | fi 22 | 23 | exec "$@" -------------------------------------------------------------------------------- /codereadyworkspaces/stack/root/usr/local/bin/user-functions.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | export GITLAB_PAT= 4 | 5 | # Generate a new Gilab Personal Access Token 6 | gitlab_pat() { 7 | # checks 8 | [ -z "$GIT_SERVER" ] && echo "Warning: must supply GIT_SERVER in env" && return 9 | [ -z "$GITLAB_USER" ] && echo "Warning: must supply GITLAB_USER in env" && return 10 | [ -z "$GITLAB_PASSWORD" ] && echo "Warning: must supply GITLAB_PASSWORD in env" && return 11 | gitlabEncodedPassword=$(echo ${GITLAB_PASSWORD} | perl -MURI::Escape -ne 'chomp;print uri_escape($_)') 12 | # get csrf from login page 13 | gitlab_basic_auth_string="Basic $(echo -n ${GITLAB_USER}:${gitlabEncodedPassword} | base64)" 14 | body_header=$(curl -k -L -s -H "Authorization: ${gitlab_basic_auth_string}" -c /tmp/cookies.txt -i "https://${GIT_SERVER}/users/sign_in") 15 | csrf_token=$(echo $body_header | perl -ne 'print "$1\n" if /new_user.*?authenticity_token"[[:blank:]]value="(.+?)"/' | sed -n 1p) 16 | # login 17 | curl -k -s -H "Authorization: ${gitlab_basic_auth_string}" -b /tmp/cookies.txt -c /tmp/cookies.txt -i "https://${GIT_SERVER}/users/auth/ldapmain/callback" \ 18 | --data "username=${GITLAB_USER}&password=${gitlabEncodedPassword}" \ 19 | --data-urlencode "authenticity_token=${csrf_token}" \ 20 | > /dev/null 21 | # generate personal access token form 22 | body_header=$(curl -k -L -H "Authorization: ${gitlab_basic_auth_string}" -H 'user-agent: curl' -b /tmp/cookies.txt -i "https://${GIT_SERVER}/profile/personal_access_tokens" -s) 23 | csrf_token=$(echo $body_header | perl -ne 'print "$1\n" if /authenticity_token"[[:blank:]]value="(.+?)"/' | sed -n 1p) 24 | # revoke them all 💀 !! 25 | revoke=$(echo $body_header | perl -nle 'print join " ", m/personal_access_tokens\/(\d+)/g;') 26 | if [ ! -z "$revoke" ]; then 27 | for x in $revoke; do 28 | curl -k -s -o /dev/null -L -b /tmp/cookies.txt -X POST "https://${GIT_SERVER}/profile/personal_access_tokens/$x/revoke" --data-urlencode "authenticity_token=${csrf_token}" --data-urlencode "_method=put" 29 | done 30 | fi 31 | # scrape the personal access token from the response 32 | body_header=$(curl -k -s -L -H "Authorization: ${gitlab_basic_auth_string}" -b /tmp/cookies.txt "https://${GIT_SERVER}/profile/personal_access_tokens" \ 33 | --data-urlencode "authenticity_token=${csrf_token}" \ 34 | --data 'personal_access_token[name]='"${GITLAB_USER}"'&personal_access_token[expires_at]=&personal_access_token[scopes][]=api') 35 | GITLAB_PAT=$(echo $body_header | perl -ne 'print "$1\n" if /created-personal-access-token"[[:blank:]]value="(.+?)"/' | sed -n 1p) 36 | echo $GITLAB_PAT 37 | } 38 | -------------------------------------------------------------------------------- /codereadyworkspaces/tl112-devfile.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: 1.0.0 2 | metadata: 3 | name: tl112 4 | generateName: tl112- 5 | projects: 6 | - name: sre-enablement-content 7 | clonePath: sre-enablement-content 8 | source: 9 | type: git 10 | location: 'https://github.com/rht-labs/sre-enablement-content.git' 11 | branch: 'main' 12 | components: 13 | - type: cheEditor 14 | alias: theia-editor 15 | id: eclipse/che-theia/latest 16 | memoryLimit: 2Gi 17 | - alias: exec-plugin 18 | type: chePlugin 19 | id: eclipse/che-machine-exec-plugin/latest 20 | - alias: node-debug2 21 | type: chePlugin 22 | id: ms-vscode/node-debug2/latest 23 | - alias: vscode-yaml 24 | type: chePlugin 25 | id: redhat/vscode-yaml/latest 26 | - type: dockerimage 27 | alias: stack-tl112 28 | image: quay.io/rht-labs/stack-tl112:3.0.9 29 | memoryLimit: 2Gi 30 | mountSources: true 31 | command: ['/bin/sh', '-c', 'sleep infinity'] 32 | volumes: 33 | - name: projects 34 | containerPath: /projects 35 | - name: config 36 | containerPath: /home/developer/.config 37 | - name: npm 38 | containerPath: /home/developer/.npm 39 | endpoints: 40 | - name: ide-8080 41 | port: 8080 42 | attributes: 43 | discoverable: "true" 44 | public: "true" 45 | protocol: http 46 | - name: ide-9000 47 | port: 9000 48 | attributes: 49 | discoverable: "true" 50 | public: "true" 51 | protocol: http 52 | - name: ide-3000 53 | port: 3000 54 | attributes: 55 | discoverable: "true" 56 | public: "true" 57 | protocol: http 58 | - name: ide-4200 59 | port: 4200 60 | attributes: 61 | discoverable: "true" 62 | public: "true" 63 | protocol: http 64 | - name: ide-4444 65 | port: 4444 66 | attributes: 67 | protocol: http 68 | - name: ide-8081 69 | port: 8081 70 | attributes: 71 | discoverable: "true" 72 | public: "true" 73 | protocol: http 74 | - name: ide-8082 75 | port: 8082 76 | attributes: 77 | discoverable: "true" 78 | public: "true" 79 | protocol: http 80 | - name: ide-8083 81 | port: 8083 82 | attributes: 83 | discoverable: "true" 84 | public: "true" 85 | protocol: http 86 | - name: ide-8084 87 | port: 8084 88 | attributes: 89 | discoverable: "true" 90 | public: "true" 91 | protocol: http 92 | -------------------------------------------------------------------------------- /codereadyworkspaces/tl500-devfile-v2.yaml: -------------------------------------------------------------------------------- 1 | schemaVersion: 2.1.0 2 | metadata: 3 | name: tl500 4 | attributes: 5 | che-theia.eclipse.org/sidecar-policy: USE_DEV_CONTAINER 6 | controller.devfile.io/devworkspace-config: 7 | name: devworkspace-config 8 | namespace: tl500-workspaces 9 | controller.devfile.io/storage-type: per-workspace 10 | metadata-name-field: generateName 11 | metadata-name-original-value: tl500- 12 | projects: 13 | - attributes: 14 | source-origin: branch 15 | clonePath: tech-exercise 16 | git: 17 | checkoutFrom: 18 | revision: main 19 | remotes: 20 | origin: 'https://github.com/rht-labs/tech-exercise' 21 | name: tech-exercise 22 | components: 23 | - container: 24 | args: 25 | - /bin/sh 26 | - '-c' 27 | - sleep infinity 28 | endpoints: 29 | - attributes: 30 | discoverable: 'true' 31 | protocol: http 32 | public: 'true' 33 | exposure: public 34 | name: ide-8080 35 | protocol: http 36 | targetPort: 8080 37 | - attributes: 38 | discoverable: 'true' 39 | protocol: http 40 | public: 'true' 41 | exposure: public 42 | name: ide-9000 43 | protocol: http 44 | targetPort: 9000 45 | - attributes: 46 | discoverable: 'true' 47 | protocol: http 48 | public: 'true' 49 | exposure: public 50 | name: ide-3000 51 | protocol: http 52 | targetPort: 3000 53 | - attributes: 54 | discoverable: 'true' 55 | protocol: http 56 | public: 'true' 57 | exposure: public 58 | name: ide-4200 59 | protocol: http 60 | targetPort: 4200 61 | - attributes: 62 | protocol: http 63 | exposure: public 64 | name: ide-4444 65 | protocol: http 66 | targetPort: 4444 67 | - attributes: 68 | discoverable: 'true' 69 | protocol: http 70 | public: 'true' 71 | exposure: public 72 | name: ide-8081 73 | protocol: http 74 | targetPort: 8081 75 | - attributes: 76 | discoverable: 'true' 77 | protocol: http 78 | public: 'true' 79 | exposure: public 80 | name: ide-8082 81 | protocol: http 82 | targetPort: 8082 83 | - attributes: 84 | discoverable: 'true' 85 | protocol: http 86 | public: 'true' 87 | exposure: public 88 | name: ide-8083 89 | protocol: http 90 | targetPort: 8083 91 | - attributes: 92 | discoverable: 'true' 93 | protocol: http 94 | public: 'true' 95 | exposure: public 96 | name: ide-8084 97 | protocol: http 98 | targetPort: 8084 99 | image: 'quay.io/rht-labs/stack-tl500:3.0.19' 100 | memoryLimit: 2Gi 101 | mountSources: true 102 | sourceMapping: /projects 103 | volumeMounts: 104 | - name: projects 105 | path: /projects 106 | - name: config 107 | path: /home/developer/.config 108 | - name: npm 109 | path: /home/developer/.npm 110 | name: stack-tl500 111 | - name: projects 112 | volume: {} 113 | - name: config 114 | volume: {} 115 | - name: npm 116 | volume: {} 117 | -------------------------------------------------------------------------------- /codereadyworkspaces/tl500-devfile.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: 1.0.0 2 | metadata: 3 | name: tl500 4 | generateName: tl500- 5 | projects: 6 | - name: tech-exercise 7 | clonePath: tech-exercise 8 | source: 9 | type: git 10 | location: 'https://github.com/rht-labs/tech-exercise' 11 | branch: 'main' 12 | components: 13 | - type: cheEditor 14 | alias: theia-editor 15 | id: eclipse/che-theia/latest 16 | memoryLimit: 2Gi 17 | - alias: exec-plugin 18 | type: chePlugin 19 | id: eclipse/che-machine-exec-plugin/latest 20 | - alias: node-debug2 21 | type: chePlugin 22 | id: ms-vscode/node-debug2/latest 23 | - alias: vscode-yaml 24 | type: chePlugin 25 | id: redhat/vscode-yaml/latest 26 | - alias: typescript-language-features 27 | type: chePlugin 28 | id: vscode/typescript-language-features/latest 29 | - type: dockerimage 30 | alias: stack-tl500 31 | image: quay.io/rht-labs/stack-tl500:3.0.18 32 | memoryLimit: 2Gi 33 | mountSources: true 34 | args: ['/bin/sh', '-c', 'sleep infinity'] 35 | volumes: 36 | - name: projects 37 | containerPath: /projects 38 | - name: config 39 | containerPath: /home/developer/.config 40 | - name: npm 41 | containerPath: /home/developer/.npm 42 | endpoints: 43 | - name: ide-8080 44 | port: 8080 45 | attributes: 46 | discoverable: "true" 47 | public: "true" 48 | protocol: http 49 | - name: ide-9000 50 | port: 9000 51 | attributes: 52 | discoverable: "true" 53 | public: "true" 54 | protocol: http 55 | - name: ide-3000 56 | port: 3000 57 | attributes: 58 | discoverable: "true" 59 | public: "true" 60 | protocol: http 61 | - name: ide-4200 62 | port: 4200 63 | attributes: 64 | discoverable: "true" 65 | public: "true" 66 | protocol: http 67 | - name: ide-4444 68 | port: 4444 69 | attributes: 70 | protocol: http 71 | - name: ide-8081 72 | port: 8081 73 | attributes: 74 | discoverable: "true" 75 | public: "true" 76 | protocol: http 77 | - name: ide-8082 78 | port: 8082 79 | attributes: 80 | discoverable: "true" 81 | public: "true" 82 | protocol: http 83 | - name: ide-8083 84 | port: 8083 85 | attributes: 86 | discoverable: "true" 87 | public: "true" 88 | protocol: http 89 | - name: ide-8084 90 | port: 8084 91 | attributes: 92 | discoverable: "true" 93 | public: "true" 94 | protocol: http 95 | -------------------------------------------------------------------------------- /helm-release.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: helm.fluxcd.io/v1 2 | kind: HelmRelease 3 | metadata: 4 | name: enablement-framework 5 | namespace: tl500 6 | spec: 7 | releaseName: tl500 8 | timeout: 1200 9 | chart: 10 | git: https://github.com/rht-labs/enablement-framework 11 | ref: v3.0.0 12 | path: tooling/charts/tl500 13 | -------------------------------------------------------------------------------- /tooling/.gitignore: -------------------------------------------------------------------------------- 1 | *.tgz 2 | *.lock 3 | 4 | .DS_Store 5 | -------------------------------------------------------------------------------- /tooling/README.md: -------------------------------------------------------------------------------- 1 | # TL500 Cluster Tooling 2 | 3 | This directory contains the necessary charts used in order to deploy a TL500 Tech Stack against an OCP 4.X cluster. This assumes that the cluster has valid certificates. 4 | 5 | 🐞 Please ensure your cluster is the latest Z release - 4.18.z. We test against these. 🐞 6 | 7 | This chart is capable of deploying the following: 8 | 9 | - Gitlab (version X.Y.Z) 10 | - CodeReady Workspaces (version X.Y.Z) 11 | - Instructor Documentation 12 | - SealedSecrets from Bitnami 13 | - OpenShift Pipelines 14 | - Advanced Cluster Security (StackRox) 15 | - Cluster Logging (LokiStack) 16 | - Certificate Utils 17 | - GitOps Operator (ArgoCD) 18 | 19 | ## Helm Release 20 | 21 | This content is also made available as [Helm Releases](http://rht-labs.com/enablement-framework/) if you prefer to use that method. Otherwise, continue below. 22 | 23 | ## Installation 24 | 25 | It is assumed that LDAP is integrated with the target cluster Oauth Provider. If that is not the case, user will need to supply LDAP integration parameters (see values.yaml file for details) 26 | 27 | ## Using a chart version 28 | 29 | When specifying a chart version, make sure to use the same version for both chart deployments. 30 | 31 | 1. Install TL500 Base 32 | 33 | For 4.18.z OpenShift: 34 | 35 | ```bash 36 | helm repo add enablement-framework https://rht-labs.com/enablement-framework 37 | helm repo update 38 | helm search repo enablement-framework 39 | helm install tl500-base enablement-framework/tl500-base --version XYZ --namespace tl500 --create-namespace --timeout=15m 40 | ``` 41 | 42 | 2. Install TL500 Course Content 43 | 44 | For 4.18.z OpenShift: 45 | 46 | ```bash 47 | helm repo add enablement-framework https://rht-labs.com/enablement-framework 48 | helm repo update 49 | helm search repo enablement-framework 50 | helm install tl500-course-content enablement-framework/tl500-course-content --version XYZ --namespace tl500 --create-namespace --timeout=15m 51 | ``` 52 | 53 | ## Using the helm chart source code 54 | 55 | 1. Get the source code 56 | 57 | ```bash 58 | git clone https://github.com/rht-labs/enablement-framework.git 59 | cd enablement-framework/tooling/charts/tl500-base 60 | helm dep up 61 | ``` 62 | 63 | 2. Install TL500 Base 64 | 65 | ```bash 66 | helm upgrade --install tl500-base . --namespace tl500 --create-namespace --timeout=15m 67 | ``` 68 | 69 | 3. Install TL500 Course Content 70 | 71 | ```bash 72 | cd ../tl500-course-content 73 | helm dep up 74 | helm upgrade --install tl500-course-content . --namespace tl500 --create-namespace --timeout=15m 75 | ``` 76 | 77 | ## Deleting 78 | 79 | To delete: 80 | ```bash 81 | helm uninstall tl500-base --namespace tl500 82 | helm uninstall tl500-course-content --namespace tl500 83 | ``` 84 | 85 | ## Gitlab 86 | 87 | With Gitlab, it expects to be able to run against a configured LDAP server. This can be achieved by either uncommenting and providing the appropriate values in your `values.yaml` or you can allow the helm chart to discover these values itself. 88 | 89 | After this is deployed, you will have a functional gitlab server that can be used along with your LDAP identities. 90 | 91 | ## CodeReady Workspaces 92 | 93 | With CRW, this uses the provided Operator to deploy a CRW instance. With the provided defaults, it restricts uses to two workspaces and allows for only a single `running` instance. 94 | 95 | ## Running on infra nodes 96 | 97 | To run on an infra node (currenly only AWS supported) you can enable this by setting `runOnInfra: true`. This assumes 1) there is at least one infra node configured with the label `node-role.kubernetes.io/infra: ""`. 98 | 99 | If you want to provision the node for this too, set the `machineSet` property with appropriate values: 100 | 101 | ```yaml 102 | # not sure if this should be in this repo but putting somewhere for safe keeping at least 103 | machineset: 104 | enabled: true 105 | cluster_id: '' # id of the cluster 106 | region: 'eu-west-2' 107 | availability_zone: 'eu-west-2a' 108 | ami_id: 'ami-0993bc7222e12bd80' # eu-west-2 for example, you'd need to find the right ami for the region 109 | ``` 110 | -------------------------------------------------------------------------------- /tooling/charts/tl500-base/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: tl500-base 3 | description: A Helm chart for Kubernetes 4 | type: application 5 | version: 0.0.3 6 | appVersion: 0.0.1 7 | maintainers: 8 | - name: eformat 9 | - name: tylerauerbeck 10 | - name: jacobsee 11 | - name: jtudelag 12 | - name: ckavili 13 | - name: springdo 14 | - name: acidonper 15 | dependencies: 16 | - name: sealed-secrets 17 | version: "2.8.2" 18 | repository: https://bitnami-labs.github.io/sealed-secrets 19 | condition: sealed-secrets.enabled 20 | - name: stackrox-chart 21 | version: "0.0.9" 22 | repository: https://redhat-cop.github.io/helm-charts 23 | condition: stackrox-chart.enabled 24 | - name: gitops-operator 25 | version: "0.7.0" 26 | repository: https://redhat-cop.github.io/helm-charts 27 | condition: gitops-operator.enabled 28 | - name: tl500-teamsters 29 | version: "0.0.3" 30 | repository: http://rht-labs.com/tl500-teamsters 31 | condition: tl500-teamsters.enabled 32 | -------------------------------------------------------------------------------- /tooling/charts/tl500-base/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{- define "ldap_def" -}} 2 | {{- $idp := (lookup "config.openshift.io/v1" "OAuth" "" "cluster").spec.identityProviders -}} 3 | {{- range $idp -}} 4 | {{- if hasKey . "ldap" }} 5 | {{- $ldap := . -}} 6 | {{- $ldap.ldap | toYaml -}} 7 | {{- end -}} 8 | {{- end -}} 9 | {{- end -}} 10 | 11 | {{- define "gitlab.ldap.port" -}} 12 | {{- if $.Values.gitlab.ldap.port -}} 13 | {{ $.Values.gitlab.ldap.port }} 14 | {{- else -}} 15 | {{- $ldap := include "ldap_def" . | fromYaml -}} 16 | {{- $protocol := regexFind "^ldap[s]*" $ldap.url -}} 17 | {{- if eq $protocol "ldap" }} 18 | {{- print "389" -}} 19 | {{- else -}} 20 | {{- print "636" -}} 21 | {{- end -}} 22 | {{- end -}} 23 | {{- end -}} 24 | 25 | {{- define "gitlab.ldap.base" -}} 26 | {{- if $.Values.gitlab.ldap.base -}} 27 | {{ $.Values.gitlab.ldap.base }} 28 | {{- else -}} 29 | {{- $ldap := include "ldap_def" . | fromYaml -}} 30 | {{- $ldap_base_dn := regexReplaceAll "^ldap[s]*://" $ldap.url "${1}" | regexFind "/.*" | trimAll "/" | regexFind "^([^?]+)" }} 31 | {{- printf "%s%s" "cn=accounts," $ldap_base_dn -}} 32 | {{- end -}} 33 | {{- end -}} 34 | 35 | {{- define "gitlab.ldap.uri" -}} 36 | {{- if $.Values.gitlab.ldap.uri -}} 37 | {{ $.Values.gitlab.ldap.uri }} 38 | {{- else -}} 39 | {{- $ldap := include "ldap_def" . | fromYaml -}} 40 | {{- regexReplaceAll "^ldap[s]*://" $ldap.url "${1}" | regexFind ".*/" | trimAll "/" | regexFind "^([^:]+)" }} 41 | {{- end -}} 42 | {{- end -}} 43 | 44 | {{- define "gitlab.ldap.user_filter" -}} 45 | {{ $.Values.gitlab.ldap.user_filter }} 46 | {{- end -}} 47 | 48 | {{- define "gitlab.ldap.encryption" -}} 49 | {{- if $.Values.gitlab.ldap.encryption -}} 50 | {{ $.Values.gitlab.ldap.encryption -}} 51 | {{- else -}} 52 | {{ $enc := include "gitlab.ldap.port" . }} 53 | {{- if eq $enc "636" -}} 54 | {{- print "simple_tls" -}} 55 | {{- else -}} 56 | {{- print "plain" -}} 57 | {{- end -}} 58 | {{- end -}} 59 | {{- end -}} 60 | 61 | {{- define "gitlab.ldap.secret_name" -}} 62 | {{ $ldap := include "ldap_def" . | fromYaml -}} 63 | {{- print $ldap.bindPassword.name -}} 64 | {{- end -}} 65 | 66 | {{- define "gitlab.ldap.bind_password" -}} 67 | {{- if $.Values.gitlab.ldap.password -}} 68 | {{ $.Values.gitlab.ldap.password }} 69 | {{- else -}} 70 | {{- $secret := include "gitlab.ldap.secret_name" . -}} 71 | {{- if (lookup "v1" "Secret" "openshift-config" $secret ) }} 72 | {{- print (lookup "v1" "Secret" "openshift-config" $secret ).data.bindPassword | b64dec -}} 73 | {{- end }} 74 | {{- end }} 75 | {{- end }} 76 | 77 | {{- define "gitlab.ldap.bind_dn" -}} 78 | {{- if $.Values.gitlab.ldap.bind_dn -}} 79 | {{ $.Values.gitlab.ldap.bind_dn }} 80 | {{- else -}} 81 | {{- $ldap := include "ldap_def" . | fromYaml -}} 82 | {{- print $ldap.bindDN -}} 83 | {{- end -}} 84 | {{- end -}} 85 | 86 | {{- define "tl500.app_domain" -}} 87 | {{- if (lookup "operator.openshift.io/v1" "IngressController" "openshift-ingress-operator" "default") -}} 88 | {{- print (lookup "operator.openshift.io/v1" "IngressController" "openshift-ingress-operator" "default").status.domain -}} 89 | {{- else -}} 90 | {{- print "example.com" -}} 91 | {{- end -}} 92 | {{- end -}} 93 | 94 | {{- define "gitlab.root_password" -}} 95 | {{- $secretName := (printf "%v-credentials" .Values.gitlab.app_name) -}} 96 | {{- $password := default (randAlphaNum 10) .Values.gitlab.credentials.root_password }} 97 | {{- if not .Values.gitlab.credentials.root_password }} 98 | {{- $existingSecret := (lookup "v1" "Secret" .Values.gitlab.namespace $secretName) }} 99 | {{- if $existingSecret }} 100 | {{- $password = index $existingSecret.data "root_password" | b64dec }} 101 | {{- end -}} 102 | {{- end -}} 103 | {{- print $password -}} 104 | {{- end -}} 105 | 106 | {{- define "gitlab.postgres.user" -}} 107 | {{- $secretName := (printf "%v-credentials" .Values.gitlab.app_name) -}} 108 | {{- $username := default (randAlphaNum 10) .Values.gitlab.credentials.postgres_user }} 109 | {{- if not .Values.gitlab.credentials.postgres_user }} 110 | {{- $existingSecret := (lookup "v1" "Secret" .Values.gitlab.namespace $secretName) }} 111 | {{- if $existingSecret }} 112 | {{- $username = index $existingSecret.data "postgres_user" | b64dec }} 113 | {{- end -}} 114 | {{- end -}} 115 | {{- print $username -}} 116 | {{- end -}} 117 | 118 | {{- define "gitlab.postgres.password" -}} 119 | {{- $secretName := (printf "%v-credentials" .Values.gitlab.app_name) -}} 120 | {{- $password := default (randAlphaNum 10) .Values.gitlab.credentials.postgres_password }} 121 | {{- if not .Values.gitlab.credentials.postgres_password }} 122 | {{- $existingSecret := (lookup "v1" "Secret" .Values.gitlab.namespace $secretName) }} 123 | {{- if $existingSecret }} 124 | {{- $password = index $existingSecret.data "postgres_password" | b64dec }} 125 | {{- end -}} 126 | {{- end -}} 127 | {{- print $password -}} 128 | {{- end -}} 129 | 130 | {{- define "gitlab.postgres.admin_password" -}} 131 | {{- $secretName := (printf "%v-credentials" .Values.gitlab.app_name) -}} 132 | {{- $password := default (randAlphaNum 10) .Values.gitlab.credentials.postgres_admin_password }} 133 | {{- if not .Values.gitlab.credentials.postgres_admin_password }} 134 | {{- $existingSecret := (lookup "v1" "Secret" .Values.gitlab.namespace $secretName) }} 135 | {{- if $existingSecret }} 136 | {{- $password = index $existingSecret.data "postgres_admin_password" | b64dec }} 137 | {{- end -}} 138 | {{- end -}} 139 | {{- print $password -}} 140 | {{- end -}} 141 | -------------------------------------------------------------------------------- /tooling/charts/tl500-base/templates/gitlab/anyuid-scc.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.gitlab }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | name: system:openshift:scc:anyuid-{{ .Values.gitlab.app_name }} 6 | roleRef: 7 | apiGroup: rbac.authorization.k8s.io 8 | kind: ClusterRole 9 | name: system:openshift:scc:anyuid 10 | subjects: 11 | - kind: ServiceAccount 12 | name: {{ .Values.gitlab.app_name }}-user 13 | namespace: {{ .Values.gitlab.namespace }} 14 | {{- end }} 15 | -------------------------------------------------------------------------------- /tooling/charts/tl500-base/templates/gitlab/deployments.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.gitlab -}} 2 | --- 3 | kind: DeploymentConfig 4 | apiVersion: apps.openshift.io/v1 5 | metadata: 6 | name: "{{ .Values.gitlab.app_name }}" 7 | namespace: "{{ .Values.gitlab.namespace }}" 8 | labels: 9 | app: "{{ .Values.gitlab.app_name }}" 10 | spec: 11 | strategy: 12 | type: Recreate 13 | triggers: 14 | - type: ConfigChange 15 | - type: ImageChange 16 | imageChangeParams: 17 | automatic: true 18 | containerNames: 19 | - gitlab-ce 20 | from: 21 | kind: ImageStreamTag 22 | name: "{{ .Values.gitlab.app_name }}-{{ .Values.gitlab.imagestreams.gitlab.name }}:{{ .Values.gitlab.imagestreams.gitlab.tag_name }}" 23 | replicas: 1 24 | test: false 25 | selector: 26 | app: "{{ .Values.gitlab.app_name }}" 27 | deploymentconfig: "{{ .Values.gitlab.app_name }}" 28 | template: 29 | metadata: 30 | labels: 31 | app: "{{ .Values.gitlab.app_name }}" 32 | deploymentconfig: "{{ .Values.gitlab.app_name }}" 33 | spec: 34 | {{- if .Values.runOnInfra }} 35 | nodeSelector: 36 | node-role.kubernetes.io/infra: '' 37 | tolerations: 38 | - effect: NoSchedule 39 | key: node-role.kubernetes.io/infra 40 | value: reserved 41 | - effect: NoExecute 42 | key: node-role.kubernetes.io/infra 43 | value: reserved 44 | {{- end }} 45 | volumes: 46 | - name: gitlab-ce-volume-1 47 | persistentVolumeClaim: 48 | claimName: "{{ .Values.gitlab.app_name }}-etc" 49 | - name: gitlab-ce-volume-2 50 | persistentVolumeClaim: 51 | claimName: "{{ .Values.gitlab.app_name }}-data" 52 | {{- if .Values.gitlab.cacert }} 53 | - name: gitlab-ca 54 | secret: 55 | defaultMode: 420 56 | items: 57 | - key: "ca-cert.crt" 58 | path: "ca-cert.crt" 59 | secretName: "{{ .Values.gitlab.app_name }}-ca" 60 | {{- end }} 61 | containers: 62 | - name: gitlab-ce 63 | image: repository.local/replaced-by-image-stream-trigger 64 | ports: 65 | - containerPort: 22 66 | protocol: TCP 67 | - containerPort: 80 68 | protocol: TCP 69 | env: 70 | - name: ROOT_PASSWORD 71 | valueFrom: 72 | secretKeyRef: 73 | name: "{{ .Values.gitlab.app_name }}-credentials" 74 | key: root_password 75 | optional: false 76 | - name: POSTGRESQL_USER 77 | valueFrom: 78 | secretKeyRef: 79 | name: "{{ .Values.gitlab.app_name }}-credentials" 80 | key: postgres_user 81 | optional: false 82 | - name: POSTGRESQL_PASSWORD 83 | valueFrom: 84 | secretKeyRef: 85 | name: "{{ .Values.gitlab.app_name }}-credentials" 86 | key: postgres_password 87 | optional: false 88 | - name: GITLAB_OMNIBUS_CONFIG 89 | value: 90 | root_pass="$(ROOT_PASSWORD)"; 91 | external_url "https://{{ .Values.gitlab.app_name }}.{{ include "tl500.app_domain" . }}"; 92 | nginx['listen_port']=80; 93 | nginx['listen_https']=false; 94 | gitlab_rails['initial_root_password']=root_pass; 95 | gitlab_rails['gitlab_port']=80; 96 | letsencrypt['enable'] = false; 97 | postgresql['enable']=false; 98 | gitlab_rails['db_host'] = '{{ .Values.gitlab.app_name }}-postgresql'; 99 | gitlab_rails['db_password']="$(POSTGRESQL_PASSWORD)"; 100 | gitlab_rails['db_username']="$(POSTGRESQL_USER)"; 101 | gitlab_rails['db_database']='{{ .Values.gitlab.db_name | default "gitlabhq_production" }}'; 102 | redis['enable'] = false; 103 | gitlab_rails['redis_host']='{{ .Values.gitlab.app_name }}-redis'; 104 | unicorn['worker_processes'] = {{ .Values.gitlab.uni_workers | default 2 }}; 105 | manage_accounts['enable'] = true; 106 | manage_storage_directories['manage_etc'] = false; 107 | gitlab_shell['auth_file'] = '/gitlab-data/ssh/authorized_keys'; 108 | git_data_dirs({ 'default' => { 'path' => '/gitlab-data/git-data' } }); 109 | gitlab_rails['shared_path'] = '/gitlab-data/shared'; 110 | gitlab_rails['uploads_directory'] = '/gitlab-data/uploads'; 111 | gitlab_ci['builds_directory'] = '/gitlab-data/builds'; 112 | prometheus_monitoring['enable'] = false; 113 | gitlab_rails['rack_attack_git_basic_auth'] = { 'enabled' => false, }; 114 | gitlab_rails['ldap_enabled'] = true; 115 | gitlab_rails['ldap_servers'] = { 'main' => { 'label' => '{{ .Values.gitlab.label | default "LDAP" }}', 'host' => '{{ include "gitlab.ldap.uri" . }}', 'port' => '{{ include "gitlab.ldap.port" . }}', 'uid' => 'uid', 'bind_dn' => '{{ include "gitlab.ldap.bind_dn" . }}', 'password' => '{{ include "gitlab.ldap.bind_password" . }}', 'encryption' => '{{ include "gitlab.ldap.encryption" . }}', 'verify_certificates' => {{ .Values.gitlab.ldap.validate_certs | default false }}, 'allow_username_or_email_login' => true, 'block_auto_created_users' => false, 'active_directory' => false, 'base' => '{{ include "gitlab.ldap.base" . }}', 'user_filter' => '{{ include "gitlab.ldap.user_filter" . | default "" }}', 'attributes' => { 'username' => ['uid'], 'email' => ['mail'], 'name' => 'displayName' } } }; 116 | gitlab_rails['gitlab_signup_enabled'] = false; 117 | resources: 118 | limits: 119 | cpu: '2' 120 | memory: 6Gi 121 | requests: 122 | cpu: 500m 123 | memory: 1Gi 124 | volumeMounts: 125 | - name: gitlab-ce-volume-1 126 | mountPath: "/etc/gitlab" 127 | - name: gitlab-ce-volume-2 128 | mountPath: "/gitlab-data" 129 | {{- if .Values.gitlab.cacert }} 130 | - name: gitlab-ca 131 | mountPath: /etc/gitlab-ssl 132 | {{- end }} 133 | livenessProbe: 134 | httpGet: 135 | path: "/help" 136 | port: 80 137 | scheme: HTTP 138 | initialDelaySeconds: 120 139 | timeoutSeconds: 1 140 | periodSeconds: 10 141 | successThreshold: 1 142 | failureThreshold: 3 143 | readinessProbe: 144 | httpGet: 145 | path: "/help" 146 | port: 80 147 | scheme: HTTP 148 | initialDelaySeconds: 20 149 | timeoutSeconds: 1 150 | periodSeconds: 10 151 | successThreshold: 1 152 | failureThreshold: 3 153 | terminationMessagePath: "/dev/termination-log" 154 | imagePullPolicy: IfNotPresent 155 | restartPolicy: Always 156 | terminationGracePeriodSeconds: 30 157 | dnsPolicy: ClusterFirst 158 | serviceAccount: "{{ .Values.gitlab.app_name }}-user" 159 | --- 160 | kind: DeploymentConfig 161 | apiVersion: apps.openshift.io/v1 162 | metadata: 163 | name: "{{ .Values.gitlab.app_name }}-redis" 164 | namespace: "{{ .Values.gitlab.namespace }}" 165 | labels: 166 | app: "{{ .Values.gitlab.app_name }}" 167 | spec: 168 | strategy: 169 | type: Recreate 170 | recreateParams: {} 171 | resources: {} 172 | triggers: 173 | - type: ConfigChange 174 | - type: ImageChange 175 | imageChangeParams: 176 | automatic: true 177 | containerNames: 178 | - gitlab-ce-redis 179 | from: 180 | kind: ImageStreamTag 181 | name: "{{ .Values.gitlab.app_name }}-{{ .Values.gitlab.imagestreams.redis.name }}:{{ .Values.gitlab.imagestreams.redis.tag_name }}" 182 | replicas: 1 183 | test: false 184 | selector: 185 | app: "{{ .Values.gitlab.app_name }}" 186 | deploymentconfig: "{{ .Values.gitlab.app_name }}-redis" 187 | template: 188 | metadata: 189 | labels: 190 | app: "{{ .Values.gitlab.app_name }}" 191 | deploymentconfig: "{{ .Values.gitlab.app_name }}-redis" 192 | spec: 193 | {{- if .Values.runOnInfra }} 194 | nodeSelector: 195 | node-role.kubernetes.io/infra: '' 196 | tolerations: 197 | - effect: NoSchedule 198 | key: node-role.kubernetes.io/infra 199 | value: reserved 200 | - effect: NoExecute 201 | key: node-role.kubernetes.io/infra 202 | value: reserved 203 | {{- end }} 204 | volumes: 205 | - name: gitlab-ce-volume-4 206 | persistentVolumeClaim: 207 | claimName: "{{ .Values.gitlab.app_name }}-redis-data" 208 | containers: 209 | - name: gitlab-ce-redis 210 | image: repository.local/replaced-by-image-stream-trigger 211 | command: 212 | - "/bin/sh" 213 | - "-ec" 214 | args: 215 | - exec redis-server 216 | ports: 217 | - containerPort: 6379 218 | protocol: TCP 219 | resources: 220 | limits: 221 | cpu: '1' 222 | memory: 512Mi 223 | requests: 224 | cpu: 100m 225 | memory: 300Mi 226 | volumeMounts: 227 | - name: gitlab-ce-volume-4 228 | mountPath: "/data" 229 | terminationMessagePath: "/dev/termination-log" 230 | imagePullPolicy: IfNotPresent 231 | restartPolicy: Always 232 | terminationGracePeriodSeconds: 30 233 | dnsPolicy: ClusterFirst 234 | --- 235 | kind: DeploymentConfig 236 | apiVersion: apps.openshift.io/v1 237 | metadata: 238 | name: "{{ .Values.gitlab.app_name }}-postgresql" 239 | namespace: "{{ .Values.gitlab.namespace }}" 240 | labels: 241 | app: "{{ .Values.gitlab.app_name }}" 242 | spec: 243 | strategy: 244 | type: Recreate 245 | # this doesn't work when on an infra node as the node selector is inherited from the Deploy but the tollerations are not... 246 | {{- if not .Values.runOnInfra }} 247 | recreateParams: 248 | post: 249 | failurePolicy: Abort 250 | execNewPod: 251 | containerName: gitlab-ce-postgresql 252 | command: 253 | - /bin/bash 254 | - -c 255 | - | 256 | psql -h '{{ .Values.gitlab.app_name }}-postgresql' -U postgres -d {{ .Values.gitlab.db_name | default "gitlabhq_production" }} -c 'CREATE EXTENSION IF NOT EXISTS pg_trgm;' 257 | exit 0 258 | env: 259 | - name: HOME 260 | value: "/var/lib/pgsql" 261 | - name: PGDATA 262 | value: "/var/lib/pgsql/data/userdata" 263 | - name: CONTAINER_SCRIPTS_PATH 264 | value: "/usr/share/container-scripts/postgresql" 265 | - name: PGPASSWORD 266 | valueFrom: 267 | secretKeyRef: 268 | name: "{{ .Values.gitlab.app_name }}-credentials" 269 | key: postgres_admin_password 270 | optional: false 271 | {{- end }} 272 | resources: {} 273 | triggers: 274 | - type: ConfigChange 275 | - type: ImageChange 276 | imageChangeParams: 277 | automatic: true 278 | containerNames: 279 | - gitlab-ce-postgresql 280 | from: 281 | kind: ImageStreamTag 282 | name: "{{ .Values.gitlab.app_name }}-{{ .Values.gitlab.imagestreams.postgresql.name }}:{{ .Values.gitlab.imagestreams.postgresql.tag_name }}" 283 | namespace: {{ .Values.gitlab.namespace }} 284 | replicas: 1 285 | test: false 286 | selector: 287 | app: "{{ .Values.gitlab.app_name }}" 288 | deploymentconfig: "{{ .Values.gitlab.app_name }}-postgresql" 289 | template: 290 | metadata: 291 | labels: 292 | app: "{{ .Values.gitlab.app_name }}" 293 | deploymentconfig: "{{ .Values.gitlab.app_name }}-postgresql" 294 | spec: 295 | {{- if .Values.runOnInfra }} 296 | nodeSelector: 297 | node-role.kubernetes.io/infra: '' 298 | tolerations: 299 | - effect: NoSchedule 300 | key: node-role.kubernetes.io/infra 301 | value: reserved 302 | - effect: NoExecute 303 | key: node-role.kubernetes.io/infra 304 | value: reserved 305 | {{- end }} 306 | volumes: 307 | - name: gitlab-ce-volume-3 308 | persistentVolumeClaim: 309 | claimName: "{{ .Values.gitlab.app_name }}-postgresql" 310 | containers: 311 | - name: gitlab-ce-postgresql 312 | image: repository.local/replaced-by-image-stream-trigger 313 | ports: 314 | - containerPort: 5432 315 | protocol: TCP 316 | readinessProbe: 317 | timeoutSeconds: 1 318 | initialDelaySeconds: 5 319 | exec: 320 | command: 321 | - "/bin/sh" 322 | - "-i" 323 | - "-c" 324 | - psql -h 127.0.0.1 -U $POSTGRESQL_USER -q -d $POSTGRESQL_DATABASE -c 325 | 'SELECT 1' 326 | livenessProbe: 327 | timeoutSeconds: 1 328 | initialDelaySeconds: 30 329 | tcpSocket: 330 | port: 5432 331 | env: 332 | - name: POSTGRESQL_USER 333 | valueFrom: 334 | secretKeyRef: 335 | name: "{{ .Values.gitlab.app_name }}-credentials" 336 | key: postgres_user 337 | optional: false 338 | - name: POSTGRESQL_PASSWORD 339 | valueFrom: 340 | secretKeyRef: 341 | name: "{{ .Values.gitlab.app_name }}-credentials" 342 | key: postgres_password 343 | optional: false 344 | - name: POSTGRESQL_DATABASE 345 | value: "{{ .Values.gitlab.db_name | default "gitlabhq_production" }}" 346 | - name: POSTGRESQL_ADMIN_PASSWORD 347 | valueFrom: 348 | secretKeyRef: 349 | name: "{{ .Values.gitlab.app_name }}-credentials" 350 | key: postgres_admin_password 351 | optional: false 352 | resources: 353 | limits: 354 | cpu: '1' 355 | memory: 1024Mi 356 | requests: 357 | cpu: 300m 358 | memory: 300Mi 359 | volumeMounts: 360 | - name: gitlab-ce-volume-3 361 | mountPath: "/var/lib/pgsql/data" 362 | terminationMessagePath: "/dev/termination-log" 363 | imagePullPolicy: IfNotPresent 364 | restartPolicy: Always 365 | terminationGracePeriodSeconds: 30 366 | dnsPolicy: ClusterFirst 367 | {{- if .Values.runOnInfra }} 368 | --- 369 | apiVersion: batch/v1 370 | kind: Job 371 | metadata: 372 | name: "{{ .Values.gitlab.app_name }}-configure-postgresql" 373 | namespace: "{{ .Values.gitlab.namespace }}" 374 | spec: 375 | template: 376 | spec: 377 | nodeSelector: 378 | node-role.kubernetes.io/infra: '' 379 | tolerations: 380 | - effect: NoSchedule 381 | key: node-role.kubernetes.io/infra 382 | value: reserved 383 | - effect: NoExecute 384 | key: node-role.kubernetes.io/infra 385 | value: reserved 386 | containers: 387 | - command: 388 | - /bin/bash 389 | - -c 390 | - | 391 | echo "Waiting for postgresql to be ready..." 392 | until pg_isready -h '{{ .Values.gitlab.app_name }}-postgresql' -p 5432 393 | do 394 | sleep 1 395 | done 396 | psql -h '{{ .Values.gitlab.app_name }}-postgresql' -U postgres -d {{ .Values.gitlab.db_name | default "gitlabhq_production" }} -c 'CREATE EXTENSION IF NOT EXISTS pg_trgm;' 397 | exit 0 398 | image: "{{ .Values.gitlab.imagestreams.postgresql.stream_uri }}" 399 | imagePullPolicy: IfNotPresent 400 | name: job 401 | env: 402 | - name: HOME 403 | value: "/var/lib/pgsql" 404 | - name: PGDATA 405 | value: "/var/lib/pgsql/data/userdata" 406 | - name: CONTAINER_SCRIPTS_PATH 407 | value: "/usr/share/container-scripts/postgresql" 408 | - name: PGPASSWORD 409 | valueFrom: 410 | secretKeyRef: 411 | name: "{{ .Values.gitlab.app_name }}-credentials" 412 | key: postgres_admin_password 413 | optional: false 414 | dnsPolicy: ClusterFirst 415 | restartPolicy: OnFailure 416 | terminationGracePeriodSeconds: 10 417 | {{- end }} 418 | {{- end -}} 419 | -------------------------------------------------------------------------------- /tooling/charts/tl500-base/templates/gitlab/imagestreams.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.gitlab -}} 2 | {{- range $is := .Values.gitlab.imagestreams }} 3 | --- 4 | kind: ImageStream 5 | apiVersion: image.openshift.io/v1 6 | metadata: 7 | name: "{{ $.Values.gitlab.app_name }}-{{ $is.name }}" 8 | namespace: {{ $.Values.gitlab.namespace }} 9 | labels: 10 | app: "{{ $.Values.gitlab.app_name }}" 11 | spec: 12 | tags: 13 | - name: {{ $is.tag_name }} 14 | from: 15 | kind: DockerImage 16 | name: {{ $is.stream_uri }} 17 | {{- end }} 18 | {{- end }} 19 | -------------------------------------------------------------------------------- /tooling/charts/tl500-base/templates/gitlab/routes.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.gitlab }} 2 | kind: Route 3 | apiVersion: route.openshift.io/v1 4 | metadata: 5 | name: "{{ .Values.gitlab.app_name }}" 6 | namespace: "{{ .Values.gitlab.namespace }}" 7 | labels: 8 | app: "{{ .Values.gitlab.app_name }}" 9 | spec: 10 | host: {{ .Values.gitlab.app_name }}.{{ include "tl500.app_domain" . }} 11 | to: 12 | kind: Service 13 | name: "{{ .Values.gitlab.app_name }}" 14 | weight: 100 15 | port: 16 | targetPort: 80-http 17 | tls: 18 | termination: edge 19 | insecureEdgeTerminationPolicy: Redirect 20 | wildcardPolicy: None 21 | {{- end }} 22 | -------------------------------------------------------------------------------- /tooling/charts/tl500-base/templates/gitlab/secrets.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.gitlab -}} 2 | {{ $root_pass := include "gitlab.root_password" . }} 3 | {{ $db_user := include "gitlab.postgres.user" . }} 4 | {{ $db_pass := include "gitlab.postgres.password" . }} 5 | {{ $db_admin_pass := include "gitlab.postgres.admin_password" . }} 6 | --- 7 | apiVersion: v1 8 | kind: Secret 9 | metadata: 10 | name: "{{ .Values.gitlab.app_name }}-credentials" 11 | namespace: "{{ .Values.gitlab.namespace }}" 12 | annotations: 13 | "helm.sh/resource-policy": "keep" 14 | type: Opaque 15 | data: 16 | root_password: {{ $root_pass | b64enc | quote }} 17 | postgres_user: {{ $db_user | b64enc | quote }} 18 | postgres_password: {{ $db_pass | b64enc | quote }} 19 | postgres_admin_password: {{ $db_admin_pass | b64enc | quote }} 20 | immutable: true 21 | {{- if .Values.gitlab.cacert }} 22 | --- 23 | apiVersion: v1 24 | kind: Secret 25 | metadata: 26 | name: "{{ .Values.gitlab.app_name }}-ca" 27 | namespace: "{{ .Values.gitlab.namespace }}" 28 | type: Opaque 29 | data: 30 | ca-cert.crt: "{{ .Values.gitlab.cacert }}" 31 | {{- end }} 32 | {{- end }} -------------------------------------------------------------------------------- /tooling/charts/tl500-base/templates/gitlab/serviceaccounts.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.gitlab }} 2 | --- 3 | kind: ServiceAccount 4 | apiVersion: v1 5 | metadata: 6 | name: "{{ .Values.gitlab.app_name }}-user" 7 | namespace: "{{ .Values.gitlab.namespace }}" 8 | {{- end -}} 9 | -------------------------------------------------------------------------------- /tooling/charts/tl500-base/templates/gitlab/services.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.gitlab }} 2 | --- 3 | kind: Service 4 | apiVersion: v1 5 | metadata: 6 | name: "{{ .Values.gitlab.app_name }}" 7 | namespace: "{{ .Values.gitlab.namespace }}" 8 | labels: 9 | app: "{{ .Values.gitlab.app_name }}" 10 | spec: 11 | ports: 12 | - name: 22-ssh 13 | protocol: TCP 14 | port: 22 15 | targetPort: 22 16 | - name: 80-http 17 | protocol: TCP 18 | port: 80 19 | targetPort: 80 20 | selector: 21 | app: "{{ .Values.gitlab.app_name }}" 22 | deploymentconfig: "{{ .Values.gitlab.app_name }}" 23 | type: ClusterIP 24 | sessionAffinity: None 25 | --- 26 | kind: Service 27 | apiVersion: v1 28 | metadata: 29 | name: "{{ .Values.gitlab.app_name }}-redis" 30 | namespace: "{{ .Values.gitlab.namespace }}" 31 | labels: 32 | app: "{{ .Values.gitlab.app_name }}" 33 | spec: 34 | ports: 35 | - name: 6379-redis 36 | protocol: TCP 37 | port: 6379 38 | targetPort: 6379 39 | selector: 40 | app: "{{ .Values.gitlab.app_name }}" 41 | deploymentconfig: "{{ .Values.gitlab.app_name }}-redis" 42 | type: ClusterIP 43 | sessionAffinity: None 44 | --- 45 | kind: Service 46 | apiVersion: v1 47 | metadata: 48 | name: "{{ .Values.gitlab.app_name }}-postgresql" 49 | namespace: "{{ .Values.gitlab.namespace }}" 50 | labels: 51 | app: "{{ .Values.gitlab.app_name }}" 52 | spec: 53 | ports: 54 | - name: 5432-postgresql 55 | protocol: TCP 56 | port: 5432 57 | targetPort: 5432 58 | selector: 59 | app: "{{ .Values.gitlab.app_name }}" 60 | deploymentconfig: "{{ .Values.gitlab.app_name }}-postgresql" 61 | type: ClusterIP 62 | sessionAffinity: None 63 | {{- end }} 64 | -------------------------------------------------------------------------------- /tooling/charts/tl500-base/templates/gitlab/volumeclaims.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.gitlab }} 2 | --- 3 | kind: PersistentVolumeClaim 4 | apiVersion: v1 5 | metadata: 6 | name: "{{ .Values.gitlab.app_name }}-redis-data" 7 | namespace: "{{ .Values.gitlab.namespace }}" 8 | spec: 9 | accessModes: 10 | - ReadWriteOnce 11 | resources: 12 | requests: 13 | storage: "{{ .Values.gitlab.redis_size | default "1Gi" }}" 14 | --- 15 | kind: PersistentVolumeClaim 16 | apiVersion: v1 17 | metadata: 18 | name: "{{ .Values.gitlab.app_name }}-etc" 19 | namespace: "{{ .Values.gitlab.namespace }}" 20 | spec: 21 | accessModes: 22 | - ReadWriteOnce 23 | resources: 24 | requests: 25 | storage: "{{ .Values.gitlab.etc_size | default "100Mi" }}" 26 | --- 27 | kind: PersistentVolumeClaim 28 | apiVersion: v1 29 | metadata: 30 | name: "{{ .Values.gitlab.app_name }}-data" 31 | namespace: "{{ .Values.gitlab.namespace }}" 32 | spec: 33 | accessModes: 34 | - ReadWriteOnce 35 | resources: 36 | requests: 37 | storage: "{{ .Values.gitlab.data_size | default "10Gi" }}" 38 | --- 39 | kind: PersistentVolumeClaim 40 | apiVersion: v1 41 | metadata: 42 | name: "{{ .Values.gitlab.app_name }}-postgresql" 43 | namespace: "{{ .Values.gitlab.namespace }}" 44 | spec: 45 | accessModes: 46 | - ReadWriteOnce 47 | resources: 48 | requests: 49 | storage: "{{ .Values.gitlab.postgres_size | default "2Gi" }}" 50 | {{- end }} 51 | -------------------------------------------------------------------------------- /tooling/charts/tl500-base/templates/logging/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: {{ index .Values "logging" "namespace" | quote }} 6 | labels: 7 | openshift.io/cluster-monitoring: "true" 8 | --- 9 | apiVersion: v1 10 | kind: Namespace 11 | metadata: 12 | name: openshift-operators-redhat 13 | labels: 14 | openshift.io/cluster-monitoring: "true" 15 | --- 16 | apiVersion: v1 17 | kind: Namespace 18 | metadata: 19 | name: openshift-cluster-observability-operator 20 | labels: 21 | openshift.io/cluster-monitoring: "true" -------------------------------------------------------------------------------- /tooling/charts/tl500-base/templates/machineset-infra.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.machineset.enabled }} 2 | --- 3 | # https://docs.openshift.com/container-platform/4.11/machine_management/creating_machinesets/creating-machineset-aws.html 4 | apiVersion: machine.openshift.io/v1beta1 5 | kind: MachineSet 6 | metadata: 7 | labels: 8 | machine.openshift.io/cluster-api-cluster: {{ .Values.machineset.cluster_id }} 9 | name: {{ .Values.machineset.cluster_id }}-infra-{{ .Values.machineset.availability_zone }} 10 | namespace: openshift-machine-api 11 | spec: 12 | replicas: 1 13 | selector: 14 | matchLabels: 15 | machine.openshift.io/cluster-api-cluster: {{ .Values.machineset.cluster_id }} 16 | machine.openshift.io/cluster-api-machineset: {{ .Values.machineset.cluster_id }}-infra-{{ .Values.machineset.availability_zone }} 17 | template: 18 | metadata: 19 | labels: 20 | machine.openshift.io/cluster-api-cluster: {{ .Values.machineset.cluster_id }} 21 | machine.openshift.io/cluster-api-machine-role: infra 22 | machine.openshift.io/cluster-api-machine-type: infra 23 | machine.openshift.io/cluster-api-machineset: {{ .Values.machineset.cluster_id }}-infra-{{ .Values.machineset.availability_zone }} 24 | spec: 25 | metadata: 26 | labels: 27 | node-role.kubernetes.io/infra: "" 28 | node-role.kubernetes.io: infra 29 | taints: 30 | - effect: NoSchedule 31 | key: node-role.kubernetes.io/infra 32 | value: reserved 33 | - effect: NoExecute 34 | key: node-role.kubernetes.io/infra 35 | value: reserved 36 | providerSpec: 37 | value: 38 | ami: 39 | id: ami-0993bc7222e12bd80 40 | apiVersion: awsproviderconfig.openshift.io/v1beta1 41 | blockDevices: 42 | - ebs: 43 | iops: 0 44 | volumeSize: 120 45 | volumeType: gp2 46 | credentialsSecret: 47 | name: aws-cloud-credentials 48 | instanceType: m6i.xlarge 49 | deviceIndex: 0 50 | iamInstanceProfile: 51 | id: {{ .Values.machineset.cluster_id }}-worker-profile 52 | kind: AWSMachineProviderConfig 53 | placement: 54 | availabilityZone: {{ .Values.machineset.availability_zone }} 55 | availability_zone: {{ .Values.machineset.region }} 56 | securityGroups: 57 | - filters: 58 | - name: tag:Name 59 | values: 60 | - {{ .Values.machineset.cluster_id }}-worker-sg 61 | subnet: 62 | filters: 63 | - name: tag:Name 64 | values: 65 | - {{ .Values.machineset.cluster_id }}-private-{{ .Values.machineset.availability_zone }} 66 | tags: 67 | - name: kubernetes.io/cluster/{{ .Values.machineset.cluster_id }} 68 | value: owned 69 | userDataSecret: 70 | name: worker-user-data 71 | {{- end }} -------------------------------------------------------------------------------- /tooling/charts/tl500-base/templates/minio/create-bucket-job.yaml: -------------------------------------------------------------------------------- 1 | {{- if not .Values.ignoreHelmHooks }} 2 | --- 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | kind: ClusterRole 5 | metadata: 6 | name: create-bucket-cr 7 | annotations: 8 | "helm.sh/hook": pre-install 9 | "helm.sh/hook-weight": "-5" 10 | "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded 11 | rules: 12 | - apiGroups: 13 | - "" 14 | resources: 15 | - pods 16 | verbs: 17 | - get 18 | - list 19 | --- 20 | apiVersion: rbac.authorization.k8s.io/v1 21 | kind: ClusterRoleBinding 22 | metadata: 23 | name: create-bucket-crb 24 | annotations: 25 | "helm.sh/hook": pre-install 26 | "helm.sh/hook-weight": "-5" 27 | "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded 28 | roleRef: 29 | apiGroup: rbac.authorization.k8s.io 30 | kind: ClusterRole 31 | name: create-bucket-cr 32 | subjects: 33 | - kind: ServiceAccount 34 | name: default 35 | namespace: {{ .Values.minio.namespace }} 36 | --- 37 | apiVersion: batch/v1 38 | kind: Job 39 | metadata: 40 | name: create-bucket 41 | namespace: {{ .Values.minio.namespace }} 42 | annotations: 43 | "helm.sh/hook": post-install,post-upgrade 44 | "helm.sh/hook-weight": "3" 45 | "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded 46 | spec: 47 | template: 48 | spec: 49 | restartPolicy: Never 50 | serviceAccount: default 51 | serviceAccountName: default 52 | containers: 53 | - name: job 54 | image: "quay.io/openshift/origin-cli:latest" 55 | imagePullPolicy: IfNotPresent 56 | command: 57 | - /bin/bash 58 | - -c 59 | - | # create bucket 60 | oc -n {{ .Values.minio.namespace }} wait pod --for=condition=Ready -l app=minio 61 | curl -o /tmp/mc https://dl.min.io/client/mc/release/linux-amd64/mc 62 | chmod +x /tmp/mc 63 | /tmp/mc --config-dir /tmp/ alias set myminio http://minio-service.{{ .Values.minio.namespace }}.svc.cluster.local:9000 minio IJrixDGbADAkgey5 64 | /tmp/mc --config-dir /tmp/ mb myminio/loki 65 | {{- end }} -------------------------------------------------------------------------------- /tooling/charts/tl500-base/templates/minio/deployment.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | kind: Deployment 3 | apiVersion: apps/v1 4 | metadata: 5 | name: minio 6 | namespace: "{{ .Values.minio.namespace }}" 7 | spec: 8 | replicas: 1 9 | selector: 10 | matchLabels: 11 | app: minio 12 | template: 13 | metadata: 14 | labels: 15 | app: minio 16 | spec: 17 | volumes: 18 | - name: data 19 | persistentVolumeClaim: 20 | claimName: minio-pvc 21 | containers: 22 | - resources: 23 | limits: 24 | cpu: 250m 25 | memory: 1Gi 26 | requests: 27 | cpu: 20m 28 | memory: 100Mi 29 | readinessProbe: 30 | tcpSocket: 31 | port: 9000 32 | initialDelaySeconds: 5 33 | timeoutSeconds: 1 34 | periodSeconds: 5 35 | successThreshold: 1 36 | failureThreshold: 3 37 | terminationMessagePath: /dev/termination-log 38 | name: minio 39 | livenessProbe: 40 | tcpSocket: 41 | port: 9000 42 | initialDelaySeconds: 30 43 | timeoutSeconds: 1 44 | periodSeconds: 5 45 | successThreshold: 1 46 | failureThreshold: 3 47 | env: 48 | - name: MINIO_ROOT_USER 49 | valueFrom: 50 | secretKeyRef: 51 | name: minio-secret 52 | key: minio_root_user 53 | - name: MINIO_ROOT_PASSWORD 54 | valueFrom: 55 | secretKeyRef: 56 | name: minio-secret 57 | key: minio_root_password 58 | ports: 59 | - containerPort: 9000 60 | protocol: TCP 61 | - containerPort: 9090 62 | protocol: TCP 63 | imagePullPolicy: IfNotPresent 64 | volumeMounts: 65 | - name: data 66 | mountPath: /data 67 | subPath: minio 68 | terminationMessagePolicy: File 69 | image: >- 70 | quay.io/minio/minio:RELEASE.2024-06-29T01-20-47Z 71 | args: 72 | - server 73 | - /data 74 | - --console-address 75 | - :9090 76 | restartPolicy: Always 77 | terminationGracePeriodSeconds: 30 78 | dnsPolicy: ClusterFirst 79 | securityContext: {} 80 | schedulerName: default-scheduler 81 | strategy: 82 | type: Recreate 83 | revisionHistoryLimit: 10 84 | progressDeadlineSeconds: 600 85 | --- 86 | kind: Route 87 | apiVersion: route.openshift.io/v1 88 | metadata: 89 | name: minio-ui 90 | namespace: "{{ .Values.minio.namespace }}" 91 | spec: 92 | to: 93 | kind: Service 94 | name: minio-service 95 | weight: 100 96 | port: 97 | targetPort: ui 98 | wildcardPolicy: None 99 | tls: 100 | termination: edge 101 | insecureEdgeTerminationPolicy: Redirect 102 | # --- 103 | # kind: Route 104 | # apiVersion: route.openshift.io/v1 105 | # metadata: 106 | # name: minio-api 107 | # namespace: "{{ .Values.minio.namespace }}" 108 | # spec: 109 | # to: 110 | # kind: Service 111 | # name: minio-service 112 | # weight: 100 113 | # port: 114 | # targetPort: api 115 | # wildcardPolicy: None 116 | # tls: 117 | # termination: edge 118 | # insecureEdgeTerminationPolicy: Redirect 119 | 120 | -------------------------------------------------------------------------------- /tooling/charts/tl500-base/templates/minio/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | kind: PersistentVolumeClaim 3 | apiVersion: v1 4 | metadata: 5 | name: minio-pvc 6 | namespace: "{{ .Values.minio.namespace }}" 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 20Gi 13 | volumeMode: Filesystem -------------------------------------------------------------------------------- /tooling/charts/tl500-base/templates/minio/secret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | kind: Secret 3 | apiVersion: v1 4 | metadata: 5 | name: minio-secret 6 | namespace: "{{ .Values.minio.namespace }}" 7 | stringData: 8 | minio_root_user: minio 9 | minio_root_password: IJrixDGbADAkgey5 -------------------------------------------------------------------------------- /tooling/charts/tl500-base/templates/minio/service.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | kind: Service 3 | apiVersion: v1 4 | metadata: 5 | name: minio-service 6 | namespace: "{{ .Values.minio.namespace }}" 7 | spec: 8 | ipFamilies: 9 | - IPv4 10 | ports: 11 | - name: api 12 | protocol: TCP 13 | port: 9000 14 | targetPort: 9000 15 | - name: ui 16 | protocol: TCP 17 | port: 9090 18 | targetPort: 9090 19 | internalTrafficPolicy: Cluster 20 | type: ClusterIP 21 | ipFamilyPolicy: SingleStack 22 | sessionAffinity: None 23 | selector: 24 | app: minio -------------------------------------------------------------------------------- /tooling/charts/tl500-base/templates/namespace.yaml: -------------------------------------------------------------------------------- 1 | {{- range $key := .Values.namespaces }} 2 | --- 3 | apiVersion: v1 4 | kind: Namespace 5 | metadata: 6 | name: "{{ $.Values.prefix }}{{- if ne $.Values.prefix "" }}-{{- else }}{{ end }}{{ .name }}" 7 | {{- end }} 8 | -------------------------------------------------------------------------------- /tooling/charts/tl500-base/templates/operators/operatorgroup.yaml: -------------------------------------------------------------------------------- 1 | {{- range $key, $value := .Values.operators }} 2 | {{ if eq ($value.enabled | toString) "true" }} 3 | {{- if $value.operatorgroup.create }} 4 | --- 5 | apiVersion: operators.coreos.com/v1 6 | kind: OperatorGroup 7 | metadata: 8 | name: {{ $key | default "tl500-operator-group" | quote }} 9 | namespace: {{ $value.namespace | quote }} 10 | spec: 11 | upgradeStrategy: Default 12 | {{- if (ne $value.operatorgroup.targetNamespace "AllNamespaces") }} 13 | targetNamespaces: 14 | - {{ $value.namespace }} 15 | {{- end }} 16 | {{- end }} 17 | {{- end }} 18 | {{- end }} 19 | -------------------------------------------------------------------------------- /tooling/charts/tl500-base/templates/operators/subscription.yaml: -------------------------------------------------------------------------------- 1 | {{- range $key, $value := .Values.operators }} 2 | {{ if eq ($value.enabled | toString) "true" }} 3 | --- 4 | apiVersion: operators.coreos.com/v1alpha1 5 | kind: Subscription 6 | metadata: 7 | name: {{ $key | quote }} 8 | namespace: {{ $value.namespace | quote }} 9 | spec: 10 | channel: {{ $value.subscription.channel }} 11 | installPlanApproval: {{ $value.subscription.approval | default "Automatic" | quote }} 12 | name: {{ $value.subscription.operatorName | quote }} 13 | source: {{ $value.subscription.sourceName | default "redhat-operators" | quote }} 14 | sourceNamespace: {{ $value.subscription.sourceNamespace | default "openshift-marketplace" | quote }} 15 | {{- if $value.subscription.csv }} 16 | startingCSV: {{ $value.subscription.csv }} 17 | {{- end }} 18 | {{- end }} 19 | {{- end }} 20 | 21 | -------------------------------------------------------------------------------- /tooling/charts/tl500-base/templates/registry/config-imageregistry.yaml: -------------------------------------------------------------------------------- 1 | {{- if not .Values.ignoreHelmHooks }} 2 | --- 3 | apiVersion: batch/v1 4 | kind: Job 5 | metadata: 6 | name: config-imageregistry 7 | annotations: 8 | "helm.sh/hook": pre-install 9 | "helm.sh/hook-delete-policy": hook-succeeded 10 | spec: 11 | template: 12 | spec: 13 | restartPolicy: Never 14 | serviceAccount: default 15 | serviceAccountName: default 16 | containers: 17 | - name: job 18 | image: "quay.io/openshift/origin-cli:latest" 19 | imagePullPolicy: IfNotPresent 20 | command: 21 | - /bin/bash 22 | - -c 23 | - | # expose the registry securely 24 | oc patch config.imageregistry.operator.openshift.io/cluster --patch '{"spec":{"defaultRoute":true}}' --type=merge 25 | {{- end }} -------------------------------------------------------------------------------- /tooling/charts/tl500-base/templates/registry/rbac.yaml: -------------------------------------------------------------------------------- 1 | {{- if not .Values.ignoreHelmHooks }} 2 | --- 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | kind: ClusterRole 5 | metadata: 6 | name: config-imageregistry 7 | annotations: 8 | "helm.sh/hook": pre-install 9 | "helm.sh/hook-weight": "-5" 10 | "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded 11 | rules: 12 | - apiGroups: 13 | - imageregistry.operator.openshift.io 14 | resources: 15 | - configs 16 | verbs: 17 | - get 18 | - list 19 | - patch 20 | --- 21 | apiVersion: rbac.authorization.k8s.io/v1 22 | kind: ClusterRoleBinding 23 | metadata: 24 | name: config-imageregistry 25 | annotations: 26 | "helm.sh/hook": pre-install 27 | "helm.sh/hook-weight": "-5" 28 | "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded 29 | roleRef: 30 | apiGroup: rbac.authorization.k8s.io 31 | kind: ClusterRole 32 | name: config-imageregistry 33 | subjects: 34 | - kind: ServiceAccount 35 | name: default 36 | namespace: {{ .Release.namespace | default "tl500" }} 37 | {{- end }} 38 | -------------------------------------------------------------------------------- /tooling/charts/tl500-base/templates/tl500-rbac.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # to install ArgoCD with escalated privs 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | kind: ClusterRole 5 | metadata: 6 | name: tl500-clusterrole 7 | rules: 8 | - apiGroups: 9 | - rbac.authorization.k8s.io 10 | resources: 11 | - clusterroles 12 | - roles 13 | - clusterrolebindings 14 | - rolebindings 15 | verbs: 16 | - delete 17 | - deletecollection 18 | - create 19 | - patch 20 | - get 21 | - list 22 | - update 23 | - watch 24 | - bind 25 | - escalate 26 | - apiGroups: 27 | - operators.coreos.com 28 | resources: 29 | - clusterserviceversions 30 | - catalogsources 31 | - installplans 32 | - subscriptions 33 | - operatorgroups 34 | verbs: 35 | - get 36 | - list 37 | - watch 38 | - create 39 | - delete 40 | - patch 41 | - update 42 | - apiGroups: 43 | - apiextensions.k8s.io 44 | resources: 45 | - customresourcedefinitions 46 | verbs: 47 | - "*" 48 | --- 49 | apiVersion: rbac.authorization.k8s.io/v1 50 | kind: ClusterRoleBinding 51 | metadata: 52 | name: tl500-clusterrolebinding 53 | roleRef: 54 | apiGroup: rbac.authorization.k8s.io 55 | kind: ClusterRole 56 | name: tl500-clusterrole 57 | subjects: 58 | - apiGroup: rbac.authorization.k8s.io 59 | kind: Group 60 | name: {{ .Values.group_name }} 61 | --- 62 | # to access StackRox 63 | apiVersion: rbac.authorization.k8s.io/v1 64 | kind: RoleBinding 65 | metadata: 66 | name: {{ .Values.group_name }}-edit 67 | namespace: stackrox 68 | roleRef: 69 | apiGroup: rbac.authorization.k8s.io 70 | kind: ClusterRole 71 | name: edit 72 | subjects: 73 | - apiGroup: rbac.authorization.k8s.io 74 | kind: Group 75 | name: {{ .Values.group_name }} 76 | --- 77 | # to view tl500 codeready workspaces namespaces 78 | apiVersion: rbac.authorization.k8s.io/v1 79 | kind: RoleBinding 80 | metadata: 81 | name: tl500-workspaces-view 82 | namespace: tl500-workspaces 83 | roleRef: 84 | apiGroup: rbac.authorization.k8s.io 85 | kind: ClusterRole 86 | name: view 87 | subjects: 88 | - apiGroup: rbac.authorization.k8s.io 89 | kind: Group 90 | name: {{ .Values.group_name }} 91 | --- 92 | # to view tl500 gitlab namespaces 93 | apiVersion: rbac.authorization.k8s.io/v1 94 | kind: RoleBinding 95 | metadata: 96 | name: tl500-gitlab-view 97 | namespace: tl500-gitlab 98 | roleRef: 99 | apiGroup: rbac.authorization.k8s.io 100 | kind: ClusterRole 101 | name: view 102 | subjects: 103 | - apiGroup: rbac.authorization.k8s.io 104 | kind: Group 105 | name: {{ .Values.group_name }} 106 | --- 107 | # to view tl500 shared namespaces 108 | apiVersion: rbac.authorization.k8s.io/v1 109 | kind: RoleBinding 110 | metadata: 111 | name: tl500-shared-view 112 | namespace: tl500-shared 113 | roleRef: 114 | apiGroup: rbac.authorization.k8s.io 115 | kind: ClusterRole 116 | name: view 117 | subjects: 118 | - apiGroup: rbac.authorization.k8s.io 119 | kind: Group 120 | name: {{ .Values.group_name }} 121 | --- 122 | {{- if .Values.ipa_namespace -}} 123 | # to view tl500 IPA namespaces. Only if IPA namespace exists. 124 | apiVersion: rbac.authorization.k8s.io/v1 125 | kind: RoleBinding 126 | metadata: 127 | name: tl500-ipa-view 128 | namespace: {{ .Values.ipa_namespace }} 129 | roleRef: 130 | apiGroup: rbac.authorization.k8s.io 131 | kind: ClusterRole 132 | name: view 133 | subjects: 134 | - apiGroup: rbac.authorization.k8s.io 135 | kind: Group 136 | name: {{ .Values.group_name }} 137 | {{- end -}} 138 | --- 139 | # to edit/view monotoring 140 | apiVersion: rbac.authorization.k8s.io/v1 141 | kind: ClusterRoleBinding 142 | metadata: 143 | name: tl500-monitoring-edit 144 | roleRef: 145 | apiGroup: rbac.authorization.k8s.io 146 | kind: ClusterRole 147 | name: monitoring-edit 148 | subjects: 149 | - apiGroup: rbac.authorization.k8s.io 150 | kind: Group 151 | name: {{ .Values.group_name }} 152 | --- 153 | apiVersion: rbac.authorization.k8s.io/v1 154 | kind: ClusterRoleBinding 155 | metadata: 156 | name: view-application-logs 157 | namespace: 158 | roleRef: 159 | apiGroup: rbac.authorization.k8s.io 160 | kind: ClusterRole 161 | name: cluster-logging-application-view 162 | subjects: 163 | - kind: Group 164 | name: {{ .Values.group_name }} 165 | apiGroup: rbac.authorization.k8s.io 166 | --- 167 | # so stackrox can pull images from all namespaces 168 | apiVersion: rbac.authorization.k8s.io/v1 169 | kind: ClusterRoleBinding 170 | metadata: 171 | name: cluster-image-puller-tl500 172 | subjects: 173 | - kind: ServiceAccount 174 | name: pipeline 175 | namespace: tl500 176 | roleRef: 177 | apiGroup: rbac.authorization.k8s.io 178 | kind: ClusterRole 179 | name: 'system:image-puller' -------------------------------------------------------------------------------- /tooling/charts/tl500-base/templates/user-workload-monitoring/configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.userworkloadmonitoring }} 2 | --- 3 | apiVersion: v1 4 | kind: ConfigMap 5 | metadata: 6 | name: cluster-monitoring-config 7 | namespace: openshift-monitoring 8 | data: 9 | config.yaml: | 10 | enableUserWorkload: true 11 | {{- end }} -------------------------------------------------------------------------------- /tooling/charts/tl500-base/values.yaml: -------------------------------------------------------------------------------- 1 | # Default values for tl500 2 | 3 | # Create a helper to create a prefix if one isn't provided? Would help if we moved to shared clusters 4 | prefix: "" 5 | 6 | # Group name in LDAP / IdM (FreeIPA) for attendees. 7 | group_name: student 8 | 9 | # Namespace where IDM runs, in case is deployed in OCP. Otherwise leave it empty or blank. 10 | ipa_namespace: ipa 11 | 12 | namespaces: 13 | - name: tl500-workspaces 14 | - name: tl500-tech-exercise 15 | - name: tl500-gitlab 16 | - name: tl500-shared 17 | - name: tl500-minio 18 | 19 | operators: 20 | 21 | devspaces: 22 | enabled: true 23 | namespace: openshift-operators 24 | subscription: 25 | channel: stable 26 | approval: Automatic 27 | operatorName: devspaces 28 | sourceName: redhat-operators 29 | sourceNamespace: openshift-marketplace 30 | operatorgroup: 31 | create: false 32 | 33 | openshift-pipelines-operator-rh: 34 | enabled: true 35 | namespace: openshift-operators 36 | subscription: 37 | channel: latest 38 | approval: Automatic 39 | operatorName: openshift-pipelines-operator-rh 40 | sourceName: redhat-operators 41 | sourceNamespace: openshift-marketplace 42 | operatorgroup: 43 | create: false 44 | 45 | cluster-logging-operator: 46 | enabled: true 47 | namespace: openshift-logging 48 | subscription: 49 | channel: stable-6.2 50 | approval: Automatic 51 | operatorName: cluster-logging 52 | sourceName: redhat-operators 53 | sourceNamespace: openshift-marketplace 54 | operatorgroup: 55 | create: true 56 | targetNamespace: AllNamespaces 57 | 58 | cluster-observability-operator: 59 | enabled: true 60 | namespace: openshift-cluster-observability-operator 61 | subscription: 62 | channel: stable 63 | approval: Automatic 64 | operatorName: cluster-observability-operator 65 | sourceName: redhat-operators 66 | sourceNamespace: openshift-marketplace 67 | operatorgroup: 68 | create: true 69 | targetNamespace: AllNamespaces 70 | 71 | loki-operator: 72 | enabled: true 73 | namespace: openshift-operators-redhat 74 | subscription: 75 | channel: stable-6.2 76 | approval: Automatic 77 | operatorName: loki-operator 78 | sourceName: redhat-operators 79 | sourceNamespace: openshift-marketplace 80 | operatorgroup: 81 | create: true 82 | targetNamespace: AllNamespaces 83 | 84 | cert-utils-operator: 85 | enabled: true 86 | namespace: openshift-operators 87 | subscription: 88 | channel: alpha 89 | approval: Automatic 90 | operatorName: cert-utils-operator 91 | sourceName: community-operators 92 | sourceNamespace: openshift-marketplace 93 | operatorgroup: 94 | create: false 95 | 96 | kubernetes-imagepuller-operator: 97 | enabled: true 98 | namespace: openshift-operators 99 | subscription: 100 | channel: stable 101 | approval: Automatic 102 | operatorName: kubernetes-imagepuller-operator 103 | sourceName: community-operators 104 | sourceNamespace: openshift-marketplace 105 | operatorgroup: 106 | create: false 107 | 108 | logging: 109 | # Might be needed with clusters that have an infra plane 110 | # nodeSelector: 111 | # key: node-role.kubernetes.io/infra 112 | # value: '' 113 | namespace: openshift-logging 114 | 115 | minio: 116 | namespace: tl500-minio 117 | 118 | gitlab: 119 | app_name: "gitlab-ce" 120 | namespace: tl500-gitlab 121 | credentials: 122 | root_password: '' 123 | postgres_user: '' 124 | postgres_password: '' 125 | postgres_admin_password: '' 126 | imagestreams: 127 | gitlab: 128 | name: "gitlab-ce" 129 | tag_name: "latest" 130 | stream_uri: "gitlab/gitlab-ce:12.8.7-ce.0" 131 | redis: 132 | name: "redis" 133 | tag_name: "latest" 134 | stream_uri: "redis:5.0.4-alpine" 135 | postgresql: 136 | name: "postgresql" 137 | tag_name: "latest" 138 | stream_uri: "registry.redhat.io/rhscl/postgresql-96-rhel7" 139 | # a body of CA certificate that Gitlab should be using goes in here. Body needs to be Base64! 140 | # cacert: 141 | ldap: 142 | # port: "389" 143 | # base: "dc=CORP,dc=EXAMPLE,dc=COM" 144 | # uri: "MY-LDAP.example.corp.com" 145 | # user_filter: "" 146 | # validate_certs: "false" 147 | # bind_dn: uid=ldap-admin,cn=users,cn=accounts,dc=CORP,dc=EXAMPLE,dc=COM 148 | # password: password 149 | secret_name: ldap-bind-password 150 | 151 | sealed-secrets: 152 | # Disabled by default 153 | enabled: true 154 | nameOverride: sealed-secrets 155 | fullnameOverride: sealed-secrets 156 | namespace: tl500-shared 157 | # Dont touch the security context values, deployment will fail in OpenShift otherwise. 158 | podSecurityContext: 159 | enabled: false 160 | containerSecurityContext: 161 | enabled: false 162 | commandArgs: 163 | - "--update-status=true" 164 | 165 | userworkloadmonitoring: true 166 | 167 | stackrox-chart: 168 | enabled: true 169 | stackrox: 170 | clusterName: tl500 171 | namespace: stackrox 172 | 173 | gitops-operator: 174 | enabled: true 175 | namespaces: [] 176 | ignoreHelmHooks: false 177 | 178 | tl500-teamsters: 179 | enabled: true 180 | 181 | # assumes node-role.kubernetes.io/infra: "" on one or more nodes 182 | runOnInfra: false 183 | 184 | # not sure if this should be in this repo but putting somewhere for safe keeping at least 185 | machineset: 186 | enabled: false 187 | cluster_id: '' 188 | region: 'eu-west-2' 189 | availability_zone: 'eu-west-2a' 190 | ami_id: 'ami-0993bc7222e12bd80' # eu-west-2 191 | -------------------------------------------------------------------------------- /tooling/charts/tl500-course-content/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: tl500-course-content 3 | description: A Helm chart for Kubernetes 4 | type: application 5 | version: 0.0.8 6 | appVersion: 0.0.1 7 | maintainers: 8 | - name: eformat 9 | - name: jacobsee 10 | - name: jtudelag 11 | - name: ckavili 12 | - name: springdo 13 | - name: acidonper 14 | -------------------------------------------------------------------------------- /tooling/charts/tl500-course-content/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{- define "tl500.app_domain" -}} 2 | {{- if (lookup "operator.openshift.io/v1" "IngressController" "openshift-ingress-operator" "default") -}} 3 | {{- print (lookup "operator.openshift.io/v1" "IngressController" "openshift-ingress-operator" "default").status.domain -}} 4 | {{- else -}} 5 | {{- print "example.com" -}} 6 | {{- end -}} 7 | {{- end -}} 8 | 9 | -------------------------------------------------------------------------------- /tooling/charts/tl500-course-content/templates/crd-reader.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: crd-reader 6 | annotations: 7 | "helm.sh/hook": pre-install,pre-upgrade 8 | "helm.sh/hook-weight": "-5" 9 | "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded 10 | rules: 11 | - apiGroups: 12 | - apiextensions.k8s.io 13 | resources: 14 | - 'customresourcedefinitions' 15 | verbs: 16 | - get 17 | - list 18 | --- 19 | apiVersion: rbac.authorization.k8s.io/v1 20 | kind: ClusterRoleBinding 21 | metadata: 22 | name: crd-reader-binding 23 | annotations: 24 | "helm.sh/hook": pre-install,pre-upgrade 25 | "helm.sh/hook-weight": "-5" 26 | "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded 27 | roleRef: 28 | apiGroup: rbac.authorization.k8s.io 29 | kind: ClusterRole 30 | name: crd-reader 31 | subjects: 32 | - kind: ServiceAccount 33 | name: default 34 | namespace: {{ .Release.Namespace }} 35 | -------------------------------------------------------------------------------- /tooling/charts/tl500-course-content/templates/crw/ca-configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.crw }} 2 | {{- if .Values.crw.gitCustomCA }} 3 | --- 4 | apiVersion: v1 5 | kind: ConfigMap 6 | metadata: 7 | annotations: 8 | "helm.sh/hook": pre-install,pre-upgrade 9 | "helm.sh/hook-weight": "20" 10 | name: che-git-self-signed-cert 11 | namespace: {{ .Values.crw.namespace | default "tl500-workspaces" | quote }} 12 | data: 13 | ca.crt: {{ .Values.crw.gitCustomCA | indent 4 }} 14 | {{- end }} 15 | {{- end }} 16 | -------------------------------------------------------------------------------- /tooling/charts/tl500-course-content/templates/crw/crw.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: org.eclipse.che/v2 3 | kind: CheCluster 4 | metadata: 5 | annotations: 6 | "helm.sh/hook": post-install,post-upgrade 7 | "helm.sh/hook-weight": "25" 8 | name: {{ .Values.crw.name | default "codeready-workspaces" | quote }} 9 | namespace: {{ .Values.crw.namespace | default "tl500-workspaces" | quote }} 10 | spec: 11 | components: 12 | database: 13 | externalDb: false 14 | metrics: 15 | enable: false 16 | cheServer: 17 | debug: false 18 | logLevel: INFO 19 | extraProperties: {{ toYaml .Values.crw.properties | nindent 8 | default "" }} 20 | devEnvironments: 21 | startTimeoutSeconds: 300 22 | secondsOfRunBeforeIdling: {{ .Values.crw.secondsOfRunBeforeIdling | default -1 }} 23 | secondsOfInactivityBeforeIdling: {{ .Values.crw.secondsOfInactivityBeforeIdling | default -1 }} 24 | maxNumberOfWorkspacesPerUser: -1 25 | disableContainerBuildCapabilities: true 26 | defaultNamespace: 27 | autoProvision: true 28 | template: -devspaces 29 | storage: 30 | perUserStrategyPvcConfig: 31 | claimSize: 2Gi 32 | pvcStrategy: per-workspace 33 | -------------------------------------------------------------------------------- /tooling/charts/tl500-course-content/templates/docs/configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.docs }} 2 | {{- if .Values.docs.config }} 3 | --- 4 | apiVersion: v1 5 | kind: ConfigMap 6 | metadata: 7 | name: {{ .Values.docs.config.configMapName }} 8 | namespace: {{ $.Values.docs.namespace }} 9 | data: 10 | all.json: {{ $.Values.docs.config.configFileContent | toPrettyJson }} 11 | {{- end }} 12 | {{- end }} 13 | -------------------------------------------------------------------------------- /tooling/charts/tl500-course-content/templates/docs/deploy.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.docs }} 2 | --- 3 | apiVersion: apps/v1 4 | kind: Deployment 5 | metadata: 6 | name: "{{ .Values.docs.name }}" 7 | namespace: "{{ .Values.docs.namespace }}" 8 | spec: 9 | replicas: 1 10 | selector: 11 | matchLabels: 12 | app: "{{ .Values.docs.name }}" 13 | template: 14 | metadata: 15 | labels: 16 | app: "{{ .Values.docs.name }}" 17 | spec: 18 | {{- if and .Values.docs .Values.docs.config }} 19 | volumes: 20 | - name: {{ .Values.docs.config.configMapName }} 21 | configMap: 22 | name: {{ .Values.docs.config.configMapName }} 23 | defaultMode: 420 24 | optional: true 25 | {{- end }} 26 | containers: 27 | - name: {{ .Values.docs.name }} 28 | image: {{ .Values.docs.image }} 29 | ports: 30 | - containerPort: 8080 31 | protocol: TCP 32 | resources: {} 33 | {{- if and .Values.docs .Values.docs.config }} 34 | volumeMounts: 35 | - name: {{ .Values.docs.config.configMapName }} 36 | mountPath: /docs/config 37 | {{- end }} 38 | terminationMessagePath: /dev/termination-log 39 | terminationMessagePolicy: File 40 | imagePullPolicy: Always 41 | restartPolicy: Always 42 | terminationGracePeriodSeconds: 30 43 | dnsPolicy: ClusterFirst 44 | securityContext: {} 45 | schedulerName: default-scheduler 46 | strategy: 47 | type: RollingUpdate 48 | rollingUpdate: 49 | maxUnavailable: 25% 50 | maxSurge: 25% 51 | revisionHistoryLimit: 10 52 | progressDeadlineSeconds: 600 53 | {{- end }} 54 | -------------------------------------------------------------------------------- /tooling/charts/tl500-course-content/templates/docs/routes.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.docs }} 2 | kind: Route 3 | apiVersion: route.openshift.io/v1 4 | metadata: 5 | name: "{{ .Values.docs.name }}" 6 | namespace: "{{ .Values.docs.namespace }}" 7 | labels: 8 | app: "{{ .Values.docs.name }}" 9 | spec: 10 | to: 11 | kind: Service 12 | name: "{{ .Values.docs.name }}" 13 | weight: 100 14 | port: 15 | targetPort: http 16 | tls: 17 | termination: edge 18 | insecureEdgeTerminationPolicy: Redirect 19 | wildcardPolicy: None 20 | {{- end }} 21 | -------------------------------------------------------------------------------- /tooling/charts/tl500-course-content/templates/docs/service.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.docs }} 2 | --- 3 | kind: Service 4 | apiVersion: v1 5 | metadata: 6 | name: {{ .Values.docs.name }} 7 | namespace: {{ .Values.docs.namespace }} 8 | spec: 9 | ports: 10 | - name: http 11 | protocol: TCP 12 | port: 8080 13 | targetPort: 8080 14 | selector: 15 | app: {{ .Values.docs.name }} 16 | type: ClusterIP 17 | sessionAffinity: None 18 | status: 19 | loadBalancer: {} 20 | {{- end }} 21 | -------------------------------------------------------------------------------- /tooling/charts/tl500-course-content/templates/image-puller.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: che.eclipse.org/v1alpha1 3 | kind: KubernetesImagePuller 4 | metadata: 5 | name: image-puller 6 | namespace: openshift-operators 7 | spec: 8 | configMapName: k8s-image-puller 9 | daemonsetName: k8s-image-puller 10 | deploymentName: kubernetes-image-puller 11 | imagePullerImage: 'quay.io/eclipse/kubernetes-image-puller:next' 12 | images: 'tl500=quay.io/rht-labs/stack-tl500:latest' 13 | -------------------------------------------------------------------------------- /tooling/charts/tl500-course-content/templates/logging/clusterlogforwarder.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: observability.openshift.io/v1 2 | kind: ClusterLogForwarder 3 | metadata: 4 | name: instance 5 | namespace: {{ .Values.logging.namespace }} 6 | spec: 7 | serviceAccount: 8 | name: {{ .Values.logging.sa }} 9 | outputs: 10 | - name: lokistack-out 11 | type: lokiStack 12 | lokiStack: 13 | target: 14 | name: {{ .Values.logging.loki_name }} 15 | namespace: {{ .Values.logging.namespace }} 16 | authentication: 17 | token: 18 | from: serviceAccount 19 | tls: 20 | ca: 21 | key: service-ca.crt 22 | configMapName: openshift-service-ca.crt 23 | pipelines: 24 | - name: infra-app-logs 25 | inputRefs: 26 | - application 27 | - infrastructure 28 | outputRefs: 29 | - lokistack-out -------------------------------------------------------------------------------- /tooling/charts/tl500-course-content/templates/logging/clusterolebinding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | name: collect-application-logs 5 | roleRef: 6 | apiGroup: rbac.authorization.k8s.io 7 | kind: ClusterRole 8 | name: collect-application-logs 9 | subjects: 10 | - kind: ServiceAccount 11 | name: {{ .Values.logging.sa }} 12 | namespace: {{ .Values.logging.namespace }} 13 | --- 14 | apiVersion: rbac.authorization.k8s.io/v1 15 | kind: ClusterRoleBinding 16 | metadata: 17 | name: collect-infrastructure-logs 18 | roleRef: 19 | apiGroup: rbac.authorization.k8s.io 20 | kind: ClusterRole 21 | name: collect-infrastructure-logs 22 | subjects: 23 | - kind: ServiceAccount 24 | name: {{ .Values.logging.sa }} 25 | namespace: {{ .Values.logging.namespace }} 26 | --- 27 | apiVersion: rbac.authorization.k8s.io/v1 28 | kind: ClusterRoleBinding 29 | metadata: 30 | name: logging-collector-logs-writer 31 | roleRef: 32 | apiGroup: rbac.authorization.k8s.io 33 | kind: ClusterRole 34 | name: logging-collector-logs-writer 35 | subjects: 36 | - kind: ServiceAccount 37 | name: {{ .Values.logging.sa }} 38 | namespace: {{ .Values.logging.namespace }} -------------------------------------------------------------------------------- /tooling/charts/tl500-course-content/templates/logging/lokistack.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: loki.grafana.com/v1 3 | kind: LokiStack 4 | metadata: 5 | name: {{ .Values.logging.loki_name }} 6 | namespace: {{ .Values.logging.namespace }} 7 | spec: 8 | size: 1x.extra-small 9 | storage: 10 | secret: 11 | name: logging-loki-s3 12 | type: s3 13 | storageClassName: {{ .Values.logging.storageclass }} 14 | tenants: 15 | mode: {{ .Values.logging.namespace }} -------------------------------------------------------------------------------- /tooling/charts/tl500-course-content/templates/logging/secret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: logging-loki-s3 6 | namespace: {{ .Values.logging.namespace }} 7 | stringData: 8 | access_key_id: minio 9 | access_key_secret: IJrixDGbADAkgey5 10 | bucketnames: loki 11 | endpoint: http://minio-service.tl500-minio.svc.cluster.local:9000 12 | region: eu-central-1 -------------------------------------------------------------------------------- /tooling/charts/tl500-course-content/templates/logging/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | kind: ServiceAccount 3 | apiVersion: v1 4 | metadata: 5 | name: "{{ .Values.logging.sa }}" 6 | namespace: "{{ .Values.logging.namespace }}" -------------------------------------------------------------------------------- /tooling/charts/tl500-course-content/templates/logging/uipplugin.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: observability.openshift.io/v1alpha1 2 | kind: UIPlugin 3 | metadata: 4 | name: logging 5 | spec: 6 | type: Logging 7 | logging: 8 | lokiStack: 9 | name: {{ .Values.logging.loki_name }} 10 | logsLimit: 50 11 | timeout: 30s -------------------------------------------------------------------------------- /tooling/charts/tl500-course-content/templates/stackrox/configure-stackrox-job.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: batch/v1 3 | kind: Job 4 | metadata: 5 | name: configure-stackrox-integration 6 | namespace: {{ index .Values "stackrox-chart" "stackrox" "namespace" | quote }} 7 | annotations: 8 | "helm.sh/hook": post-install,post-upgrade 9 | "helm.sh/hook-weight": "3" 10 | "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded 11 | spec: 12 | template: 13 | spec: 14 | containers: 15 | - image: quay.io/rht-labs/stack-tl500:latest 16 | command: 17 | - /bin/bash 18 | - -c 19 | - | 20 | test {{ .Values.verbose | default "false" }} == true && set -x 21 | 22 | # wait for operator 23 | while [ true ]; do oc get crd centrals.platform.stackrox.io; if [ $? -eq 0 ]; then break; fi ; sleep 5s; done 24 | # wait for central 25 | echo "waiting for stackrox-central ..." 26 | while test 0 == $(oc -n {{ index .Values "stackrox-chart" "stackrox" "namespace" }} get pod -l app.kubernetes.io/component=central -o name 2>/dev/null | wc -l); do sleep 5; done 27 | oc -n {{ index .Values "stackrox-chart" "stackrox" "namespace" }} wait pod -l app.kubernetes.io/component=central --for=condition=Ready --timeout=200s 28 | if [ $? != 0 ]; then 29 | echo "🛑 timed out waiting for central, exiting 🛑"; 30 | exit 1; 31 | fi 32 | sleep 15; 33 | 34 | # generate a registry integration 35 | ROX_ENDPOINT=central.{{ index .Values "stackrox-chart" "stackrox.namespace" | quote }} 36 | ROX_ADMIN_PASSWD=$(oc -n {{ index .Values "stackrox-chart" "stackrox" "namespace" }} get secret central-htpasswd -o go-template='{{ printf "{{index .data \"password\" | base64decode}}" }}') 37 | 38 | # wait for sericeaccount 39 | echo "waiting for tl500 pipline service account ..." 40 | while test 0 == $(oc -n tl500 get sa/pipeline -o name 2>/dev/null | wc -l); do sleep 5; done 41 | # support newer installation where token not generated automatically 42 | oc serviceaccounts get-token pipeline -n tl500 43 | if [ $? != 0 ]; then 44 | echo '{"apiVersion":"v1","kind":"Secret","metadata":{"name":"pipeline-token","namespace":"tl500","annotations": {"kubernetes.io/service-account.name":"pipeline"}},"type":"kubernetes.io/service-account-token"}' | oc -n tl500 apply -f- 45 | oc -n tl500 secret link pipeline pipeline-token 46 | fi 47 | TOKEN=$(oc serviceaccounts get-token pipeline -n tl500) 48 | RET=$(curl -sk -u "admin:${ROX_ADMIN_PASSWD}" "https://$ROX_ENDPOINT/v1/imageintegrations" -d "{\"id\": \"\",\"name\": \"tl500\",\"categories\": [\"REGISTRY\"],\"docker\": {\"endpoint\": \"https://image-registry.openshift-image-registry.svc:5000\",\"username\": \"\",\"password\": \"${TOKEN}\",\"insecure\": true},\"autogenerated\": false,\"clusterId\": \"\",\"clusters\": [],\"skipTestIntegration\": false,\"type\": \"docker\" }" | jq .error) 49 | if [[ ${RET} != "null" && ! -z ${RET} ]]; then 50 | echo "🛑 failed to set image integration, exiting - ${RET} 🛑"; 51 | exit 1; 52 | fi 53 | exit 0; 54 | imagePullPolicy: Always 55 | name: configure-stackrox-integration 56 | dnsPolicy: ClusterFirst 57 | restartPolicy: OnFailure 58 | serviceAccount: configure-stackrox-integration 59 | serviceAccountName: configure-stackrox-integration 60 | terminationGracePeriodSeconds: 10 61 | -------------------------------------------------------------------------------- /tooling/charts/tl500-course-content/templates/stackrox/configure-stackrox-rbac.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: configure-stackrox-integration 6 | namespace: {{ index .Values "stackrox-chart" "stackrox" "namespace" | quote }} 7 | annotations: 8 | "helm.sh/hook": post-install,post-upgrade 9 | "helm.sh/hook-weight": "1" 10 | "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded 11 | --- 12 | apiVersion: rbac.authorization.k8s.io/v1 13 | kind: Role 14 | metadata: 15 | name: configure-stackrox-integration-local 16 | namespace: {{ index .Values "stackrox-chart" "stackrox" "namespace" | quote }} 17 | annotations: 18 | "helm.sh/hook": post-install,post-upgrade 19 | "helm.sh/hook-weight": "1" 20 | "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded 21 | rules: 22 | - apiGroups: 23 | - "" 24 | resources: 25 | - "secrets" 26 | verbs: 27 | - get 28 | - list 29 | - watch 30 | - create 31 | - delete 32 | - patch 33 | - update 34 | - apiGroups: 35 | - "" 36 | resources: 37 | - "pods" 38 | verbs: 39 | - get 40 | - list 41 | - watch 42 | - apiGroups: 43 | - "platform.stackrox.io" 44 | resources: 45 | - "securedclusters" 46 | verbs: 47 | - get 48 | - list 49 | - watch 50 | - create 51 | - delete 52 | - patch 53 | - update 54 | --- 55 | apiVersion: rbac.authorization.k8s.io/v1 56 | kind: RoleBinding 57 | metadata: 58 | name: configure-stackrox-integration-local 59 | namespace: {{ index .Values "stackrox-chart" "stackrox" "namespace" | quote }} 60 | annotations: 61 | "helm.sh/hook": post-install,post-upgrade 62 | "helm.sh/hook-weight": "1" 63 | "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded 64 | roleRef: 65 | apiGroup: rbac.authorization.k8s.io 66 | kind: Role 67 | name: configure-stackrox-integration-local 68 | subjects: 69 | - kind: ServiceAccount 70 | name: configure-stackrox-integration 71 | namespace: {{ index .Values "stackrox-chart" "stackrox" "namespace" | quote }} 72 | --- 73 | apiVersion: rbac.authorization.k8s.io/v1 74 | kind: ClusterRole 75 | metadata: 76 | name: configure-stackrox-integration 77 | annotations: 78 | "helm.sh/hook": post-install,post-upgrade 79 | "helm.sh/hook-weight": "1" 80 | "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded 81 | rules: 82 | - apiGroups: 83 | - "apiextensions.k8s.io" 84 | resources: 85 | - "customresourcedefinitions" 86 | verbs: 87 | - get 88 | - apiGroups: 89 | - "" 90 | resources: 91 | - "serviceaccounts" 92 | - "secrets" 93 | verbs: 94 | - get 95 | - list 96 | - watch 97 | - create 98 | - delete 99 | - patch 100 | - update 101 | --- 102 | apiVersion: rbac.authorization.k8s.io/v1 103 | kind: ClusterRoleBinding 104 | metadata: 105 | name: configure-stackrox-integration 106 | annotations: 107 | "helm.sh/hook": post-install,post-upgrade 108 | "helm.sh/hook-weight": "1" 109 | "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded 110 | roleRef: 111 | apiGroup: rbac.authorization.k8s.io 112 | kind: ClusterRole 113 | name: configure-stackrox-integration 114 | subjects: 115 | - kind: ServiceAccount 116 | name: configure-stackrox-integration 117 | namespace: {{ index .Values "stackrox-chart" "stackrox" "namespace" | quote }} 118 | -------------------------------------------------------------------------------- /tooling/charts/tl500-course-content/templates/wait-for-crd.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Pod 4 | metadata: 5 | name: cluster-check 6 | annotations: 7 | "helm.sh/hook": pre-install,pre-upgrade 8 | "helm.sh/hook-weight": "-1" 9 | "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded 10 | spec: 11 | containers: 12 | - name: crd-check 13 | image: quay.io/openshift/origin-cli:4.8 14 | imagePullPolicy: IfNotPresent 15 | command: ['sh', '-c', 'while [ true ]; do oc get crd checlusters.org.eclipse.che centrals.platform.stackrox.io; if [ $? -eq 0 ]; then break; fi ; sleep 5s; done'] 16 | restartPolicy: Never 17 | terminationGracePeriodSeconds: 0 18 | serviceAccount: default 19 | serviceAccountName: default 20 | -------------------------------------------------------------------------------- /tooling/charts/tl500-course-content/values.yaml: -------------------------------------------------------------------------------- 1 | # Create a helper to create a prefix if one isn't provided? Would help if we moved to shared clusters 2 | prefix: "" 3 | 4 | # Group name in LDAP / IdM (FreeIPA) for attendees 5 | group_name: student 6 | 7 | logging: 8 | # Might be needed with clusters that have an infra plane 9 | # nodeSelector: 10 | # key: node-role.kubernetes.io/infra 11 | # value: '' 12 | namespace: openshift-logging 13 | # lokistack configuration requires the sc name. If you are deploying outside of AWS, make sure you update this value 14 | storageclass: gp3-csi 15 | loki_name: logging-loki 16 | sa: logging-collector 17 | tolerations: 18 | - effect: NoSchedule 19 | key: node-role.kubernetes.io/infra 20 | operator: Exists 21 | 22 | crw: 23 | namespace: tl500-workspaces 24 | name: "codeready-workspaces" 25 | secondsOfRunBeforeIdling: "-1" 26 | secondsOfInactivityBeforeIdling: "-1" 27 | properties: 28 | CHE_LIMITS_USER_WORKSPACES_COUNT: "2" 29 | CHE_WORKSPACE_DEFAULT__MEMORY__LIMIT__MB: "3072" 30 | CHE_DOCKER_ALWAYS__PULL__IMAGE: 'true' 31 | CHE_LIMITS_USER_WORKSPACES_RUN_COUNT: '1' 32 | CHE_LIMITS_WORKSPACE_IDLE_TIMEOUT: '-1' 33 | CHE_WORKSPACE_SIDECAR_IMAGE__PULL__POLICY: Always 34 | 35 | # Tech-exercises deployment to engagement environment 36 | # Deployment done only if `docs:` is uncommented 37 | #docs: 38 | # name: tl500-docs 39 | # namespace: tl500-tech-exercise 40 | # image: quay.io/rht-labs/tl500-tech-exercise:v1.0.2 41 | # config: 42 | # configMapName: tl500-docs-config 43 | # configFileContent: | 44 | # { 45 | # "devfile": "https://raw.githubusercontent.com/rht-labs/enablement-framework/main/codereadyworkspaces/tl500-devfile.yaml" 46 | # } 47 | 48 | stackrox-chart: 49 | enabled: true 50 | stackrox: 51 | clusterName: tl500 52 | namespace: stackrox 53 | --------------------------------------------------------------------------------