├── .gitattributes ├── .github └── workflows │ └── linting.yml ├── .gitignore ├── .kube-linter.yaml ├── .yamllint.yaml ├── README.md ├── _templates.gotmpl ├── base ├── argocd-resources-manager │ ├── README.md │ └── values.yaml └── init_app_of_apps │ ├── Chart.yaml │ ├── LICENSE │ ├── README.md │ ├── templates │ └── _helpers.tpl │ └── values.yaml ├── clusters ├── all │ ├── base-operators │ │ ├── Chart.yaml │ │ ├── LICENSE │ │ ├── README.md │ │ ├── templates │ │ │ └── _helpers.tpl │ │ └── values.yaml │ └── project-onboarding │ │ ├── Chart.yaml │ │ ├── README.md │ │ ├── templates │ │ ├── _helpers.tpl │ │ └── argocd-project.yaml │ │ └── values.yaml └── management-cluster │ ├── applications-gitops │ ├── Chart.yaml │ ├── README.md │ ├── config.json │ ├── templates │ │ ├── gitops-rolebinding.yaml │ │ └── gitops-roles.yaml │ └── values.yaml │ ├── branding │ ├── Chart.yaml │ ├── LICENSE │ ├── README.md │ ├── README.md.gotmpl │ ├── config.json │ ├── templates │ │ └── _helpers.tpl │ └── values.yaml │ ├── cert-manager │ ├── Chart.yaml │ ├── LICENSE │ ├── config.json │ ├── templates │ │ ├── CertificateRequestPolicy.yaml │ │ ├── ClusterRole-Approver-Policy-approving.yaml │ │ ├── ClusterRoleBinding-Approver-Policy-approving.yaml │ │ ├── SealedSecret-Credentials.yaml │ │ └── _helpers.tpl │ └── values.yaml │ ├── clusterconfig-apiserver │ ├── Chart.yaml │ ├── LICENSE │ ├── README.md │ ├── README.md.gotmpl │ ├── config.json │ ├── templates │ │ └── _helpers.tpl │ └── values.yaml │ ├── etcd-backup │ ├── Chart.yaml │ ├── LICENSE │ ├── README.md │ ├── config.json │ ├── templates │ │ └── _helpers.tpl │ └── values.yaml │ ├── generic-clusterconfig │ ├── Chart.yaml │ ├── README.md │ ├── README.md.gotmpl │ ├── config.json │ ├── templates │ │ ├── create-cluster-admin-binding.yaml │ │ ├── create-group-cluster-admin.yaml │ │ ├── htpasswd-sealed-secret.yaml │ │ ├── projectconfig.yaml │ │ └── projecttemplate.yaml │ └── values.yaml │ ├── idp │ ├── Archive │ │ └── Keycloak │ │ │ ├── Keycloak-Client.yaml │ │ │ ├── Keycloak-Instance.yaml │ │ │ ├── Keycloak-Realm.yaml │ │ │ └── Keycloak-User.yaml │ ├── Chart.yaml │ ├── LICENSE │ ├── config.json │ ├── templates │ │ ├── _helpers.tpl │ │ ├── create-cluster-admin-binding.yaml │ │ ├── create-group-cluster-admin.yaml │ │ └── htpasswd-sealed-secret.yaml │ └── values.yaml │ ├── ingresscontroller │ ├── README.md │ ├── config.json │ ├── kustomization.yaml │ └── values.yaml │ ├── install-cyclonedx │ ├── Chart.yaml │ ├── LICENSE │ ├── README.md │ ├── README.md.gotmpl │ ├── config.json │ ├── templates │ │ └── _helpers.tpl │ └── values.yaml │ ├── internal-registry │ ├── Chart.yaml │ ├── README.md │ ├── config.json │ ├── templates │ │ ├── _helpers.tpl │ │ ├── clusterrole.yaml │ │ ├── create-bucket-secret-crb.yaml │ │ ├── create-bucket-secret-sa.yaml │ │ ├── create-bucket-secret.yaml │ │ ├── imageRegistry.yaml │ │ └── patch-image-registry.yaml │ └── values.yaml │ ├── node-configuration │ ├── Chart.yaml │ ├── LICENSE │ ├── README.md │ ├── config.json │ ├── templates │ │ ├── _helpers.tpl │ │ └── node.yaml │ └── values.yaml │ ├── setup-acm │ ├── Chart.yaml │ ├── LICENSE │ ├── README.md │ ├── config.json │ ├── templates │ │ ├── _helpers.tpl │ │ └── acm-configuration │ │ │ ├── GitOpsCluster.yaml │ │ │ ├── ManagedCluster.yaml │ │ │ ├── ManagedClusterSetBinding.yaml │ │ │ └── Placement.yaml │ └── values.yaml │ ├── setup-acs-backup │ ├── Chart.yaml │ ├── LICENSE │ ├── README.md │ ├── README.md.gotmpl │ ├── config.json │ ├── templates │ │ └── _helpers.tpl │ └── values.yaml │ ├── setup-acs │ ├── Chart.yaml │ ├── LICENSE │ ├── README.md │ ├── README.md.gotmpl │ ├── config.json │ ├── templates │ │ └── _helpers.tpl │ └── values.yaml │ ├── setup-compliance-operator │ ├── Chart.yaml │ ├── LICENSE │ ├── README.md │ ├── README.md.gotmpl │ ├── config.json │ ├── templates │ │ └── _helpers.tpl │ └── values.yaml │ ├── setup-container-security-operator │ ├── Chart.yaml │ ├── LICENSE │ ├── README.md │ ├── README.md.gotmpl │ ├── config.json │ ├── templates │ │ └── _helpers.tpl │ └── values.yaml │ ├── setup-cost-management-operator │ ├── .helmignore │ ├── Chart.yaml │ ├── README.md │ ├── README.md.gotmpl │ ├── config.json │ ├── templates │ │ └── _helpers.tpl │ └── values.yaml │ ├── setup-crunchy-postgres │ ├── Chart.yaml │ ├── LICENSE │ ├── README.md │ ├── README.md.gotmpl │ ├── config.json │ ├── templates │ │ ├── PodMonitor.yaml │ │ ├── PostgresCluster.yaml │ │ └── _helpers.tpl │ └── values.yaml │ ├── setup-file-integrity-operator │ ├── .helmignore │ ├── Chart.yaml │ ├── README.md │ ├── README.md.gotmpl │ ├── config.json │ ├── templates │ │ └── _helpers.tpl │ └── values.yaml │ ├── setup-multicluster-observability │ ├── Chart.yaml │ ├── config.json │ ├── templates │ │ ├── MultiClusterObservability.yaml │ │ ├── _helpers.tpl │ │ ├── jobs │ │ │ ├── create-bucket-secret-crb.yaml │ │ │ ├── create-bucket-secret-sa.yaml │ │ │ └── create-bucket-secret.yaml │ │ └── namespace.yaml │ └── values.yaml │ ├── setup-network-observability │ ├── Chart.yaml │ ├── README.md │ ├── config.json │ ├── templates │ │ └── _helpers.tpl │ └── values.yaml │ ├── setup-openshift-data-foundation │ ├── Chart.yaml │ ├── LICENSE │ ├── README.md │ ├── README.md.gotmpl │ ├── config.json │ ├── templates │ │ └── _helpers.tpl │ └── values.yaml │ ├── setup-openshift-logging │ ├── Chart.yaml │ ├── LICENSE │ ├── README.md │ ├── README.md.gotmpl │ ├── config.json │ ├── templates │ │ ├── UIPlugin.yaml │ │ └── _helpers.tpl │ └── values.yaml │ ├── setup-quay │ ├── .helmignore │ ├── Chart.yaml │ ├── config.json │ ├── templates │ │ └── _helpers.tpl │ └── values.yaml │ ├── setup-rh-build-of-keycloak │ ├── Chart.yaml │ ├── LICENSE │ ├── README.md │ ├── README.md.gotmpl │ ├── config.json │ ├── templates │ │ └── _helpers.tpl │ └── values.yaml │ ├── trusted-profile-analyzer │ ├── Chart.yaml │ ├── config.json │ ├── templates │ │ ├── SEALED-postgresql-admin-credentials.yaml │ │ ├── SEALED-postgresql-user-credentials.yaml │ │ ├── example-db.yaml │ │ └── namespace.yaml │ ├── values-importers.yaml │ ├── values-rhtpa.yaml │ └── values.yaml │ ├── update-clusterversion │ ├── README.md │ ├── config.json │ ├── kustomization.yaml │ └── values.yaml │ ├── wave-acm-policy-management │ ├── config.json │ ├── kustomization.yaml │ └── values.yaml │ └── waves │ └── acm-policies │ ├── acm-preparation │ ├── managedClusterSet.yaml │ ├── managedClusterSetBinding.yaml │ └── policyNamespace.yaml │ └── clusterhealth │ ├── kustomization.yaml │ └── values.yaml ├── ct-test.sh ├── delete_GitOps.sh ├── helm-lint-test.sh ├── init_GitOps.sh ├── renovate.json ├── scripts ├── etcd-encryption │ └── check_encryption_status.sh ├── example_bindpassword │ ├── README.md │ └── create_sealed_secret.sh ├── example_htpasswd │ ├── README.md │ └── create_sealed_secret-mgmt-cluster.sh ├── loginpage-secrets │ ├── create_sealed_secret.sh │ ├── login.html │ └── providers.html ├── sealed_secrets │ ├── create-custom-certificate.sh │ ├── get-sealed-secret-key.sh │ └── replace-sealed-secrets-secret.sh └── sonarqube │ └── create_sealed_secret.sh ├── tenants ├── tenant1 │ └── in-cluster │ │ └── values.yaml ├── tenant2 │ └── in-cluster │ │ └── values.yaml ├── tenant3 │ └── in-cluster │ │ └── values.yaml └── values-global.yaml └── values-openshift-gitops.yaml /.gitattributes: -------------------------------------------------------------------------------- 1 | *.yml linguist-detectable=true 2 | *.yaml linguist-detectable=true 3 | *.tpl linguist-detectable=true 4 | *.html linguist-detectable=false 5 | 6 | -------------------------------------------------------------------------------- /.github/workflows/linting.yml: -------------------------------------------------------------------------------- 1 | name: Linting 2 | 3 | on: 4 | push: 5 | branches: 6 | - main 7 | pull_request: 8 | paths-ignore: 9 | - '.github/**' 10 | - 'README.md' 11 | 12 | jobs: 13 | ct-lint-test: 14 | runs-on: ubuntu-latest 15 | steps: 16 | - name: Checkout 17 | uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 18 | 19 | - name: Set up Helm 20 | uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4 21 | env: 22 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 23 | 24 | - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5 25 | with: 26 | python-version: 3.13 27 | 28 | - name: Set up chart-testing 29 | uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b # v2.7.0 30 | 31 | - name: Run chart-testing (lint) 32 | run: | 33 | #!/usr/bin/env bash 34 | for charts in `find . -name 'Chart.yaml' -type f | xargs -I{} dirname {}`; do 35 | printf "\n\n##### CHECKING $charts #####\n"; 36 | ct lint --charts $charts; 37 | done 38 | 39 | lint-test: 40 | runs-on: ubuntu-latest 41 | container: 42 | image: quay.io/tjungbau/linter-image:v1.0.2@sha256:c0bb67983d796c9004edf6a28fa580cb94fa030e5f0fbb05193c2b8b74fb715e 43 | steps: 44 | - name: Checkout 45 | uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 46 | 47 | - name: Run helm lint on found Charts 48 | run: | 49 | #!/usr/bin/env bash 50 | 51 | for charts in $(find . -name 'Chart.yaml'); do 52 | helm_dir=$(dirname "${charts}") 53 | echo "Checking $helm_dir" 54 | echo "Trying to find in-cluster-values.yaml files" 55 | add_val_files=$(find $helm_dir -type f -name in-cluster-values.yaml) 56 | if [ -z "$add_val_files" ]; then 57 | echo "No additional files found" 58 | values="" 59 | else 60 | echo "Additional file found $add_val_files" 61 | values="-f $add_val_files" 62 | fi 63 | 64 | helm dep up "${helm_dir}" 65 | helm lint --strict $values "${helm_dir}" 66 | echo "Done" 67 | done 68 | 69 | - name: Run yamllint on all values-files 70 | id: yamllint_test 71 | run: | 72 | get_files=$(find . -type f -name '*values.yaml') 73 | yamllint -f standard -c .yamllint.yaml $get_files 74 | 75 | echo "Done checking with yamllint" 76 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # General files for the project 2 | pkg/* 3 | *.pyc 4 | bin/* 5 | .project 6 | /.bin 7 | /_test/secrets/*.json 8 | 9 | # OSX leaves these everywhere on SMB shares 10 | ._* 11 | 12 | # OSX trash 13 | .DS_Store 14 | 15 | # Files generated by JetBrains IDEs, e.g. IntelliJ IDEA 16 | .idea/ 17 | *.iml 18 | 19 | # Vscode files 20 | .vscode 21 | 22 | # Emacs save files 23 | *~ 24 | \#*\# 25 | .\#* 26 | 27 | # Vim-related files 28 | [._]*.s[a-w][a-z] 29 | [._]s[a-w][a-z] 30 | *.un~ 31 | Session.vim 32 | .netrwhist 33 | 34 | # Chart dependencies 35 | **/charts/*.tgz 36 | **/charts 37 | Chart.lock 38 | 39 | .history 40 | 41 | *.tgz 42 | 43 | scripts/example_htpasswd/users.htpasswd 44 | 45 | *.key 46 | *.crt 47 | -------------------------------------------------------------------------------- /.kube-linter.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | checks: 3 | addAllBuiltIn: true 4 | exclude: 5 | # Don't require dedicated ServiceAccount for each deployment 6 | - 'default-service-account' 7 | # Don't alert if Deployments only use 1 replicas 8 | - 'minimum-three-replicas' 9 | # Don't alert if used ServiceAccount can't be detected 10 | - 'non-existent-service-account' 11 | # Don't alert if Deployments use replace update strategy 12 | - 'no-rolling-update-strategy' 13 | -------------------------------------------------------------------------------- /.yamllint.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yamllint configuration 3 | # See: https://github.com/helm/charts/pull/2429 4 | rules: 5 | comments-indentation: disable 6 | key-duplicates: enable 7 | line-length: disable # Lines can be any length 8 | new-line-at-end-of-file: disable 9 | new-lines: 10 | type: unix 11 | trailing-spaces: enable 12 | truthy: 13 | level: warning 14 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | [![Linting](https://github.com/tjungbauer/openshift-clusterconfig-gitops/actions/workflows/linting.yml/badge.svg)](https://github.com/tjungbauer/openshift-clusterconfig-gitops/actions/workflows/linting.yml) 2 | 3 | # openshift-clusterconfig-gitops 4 | 5 | This repository demonstrates the usage of OpenShift-GitOps and a secrets manager like Sealed Secrets or Hashicorp Vault. 6 | The focus lies on main cluster configuration. 7 | 8 | This repository is never to be considered as finished ever, since new cluster configuration may happen at any time. 9 | 10 | ## Initialize 11 | 12 | Before gitops can be used some basic setup must be done. A shell script has been prepared to do that for you: 13 | 14 | 1. Deploy the OpenShift GitOps operator: 15 | ``` 16 | ./init_GitOps.sh 17 | ``` 18 | 19 | This will deploy the Redhat Gitops operator, the Application of Applications and optionally Sealed Secrets and/or Hashicorp Vault. 20 | 21 | NOTE: Hashicorp Vault is as of today installed only. Nothing else is done yet. 22 | 23 | 2. Download the Sealed Secret certificate for this specific cluster. 24 | 25 | The following script will store the certificate into ~/.bitnami/ 26 | ``` 27 | ./scripts/sealed_secrets/get-sealed-secret-key.sh 28 | ``` 29 | 30 | ## Help Charts Repository 31 | 32 | Most Helm Charts can be found at: https://charts.stderr.at/ 33 | -------------------------------------------------------------------------------- /_templates.gotmpl: -------------------------------------------------------------------------------- 1 | 2 | {{ define "doc.header" -}} 3 | 4 | {{ template "chart.header" . }} 5 | 6 | [![License](https://img.shields.io/badge/License-Apache_2.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) 7 | [![Release Charts](https://github.com/tjungbauer/helm-charts/actions/workflows/release.yml/badge.svg)](https://github.com/tjungbauer/helm-charts/actions/workflows/release.yml) 8 | 9 | {{ template "chart.versionBadge" . }} 10 | 11 | {{ template "chart.deprecationWarning" . }} 12 | 13 | ## Description 14 | 15 | {{ template "chart.description" . }} 16 | 17 | {{- end }} 18 | 19 | 20 | {{ define "doc.deps" -}} 21 | 22 | ## Dependencies 23 | 24 | This chart has the following dependencies: 25 | 26 | {{ template "chart.requirementsTable" . }} 27 | 28 | {{- end }} 29 | 30 | {{ define "doc.values" -}} 31 | 32 | {{ template "chart.valuesSection" . }} 33 | 34 | {{- end }} 35 | 36 | 37 | {{ define "doc.maintainer_and_sources" -}} 38 | 39 | {{ template "chart.maintainersSection" . }} 40 | 41 | ## Sources 42 | Source: {{ template "chart.sourcesList" . }} 43 | 44 | Source code: {{ template "chart.homepage" . }} 45 | 46 | {{- end }} 47 | 48 | {{ define "doc.footer" -}} 49 | 50 | {{ template "helm-docs.versionFooter" . }} 51 | 52 | {{- end }} -------------------------------------------------------------------------------- /base/argocd-resources-manager/README.md: -------------------------------------------------------------------------------- 1 | # argocd-resources-manager 2 | 3 | [![License](https://img.shields.io/badge/License-Apache_2.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) 4 | [![Linting](https://github.com/tjungbauer/openshift-clusterconfig-gitops/actions/workflows/linting.yml/badge.svg)](https://github.com/tjungbauer/openshift-clusterconfig-gitops/actions/workflows/linting.yml) 5 | [![Release Charts](https://github.com/tjungbauer/helm-charts/actions/workflows/release.yml/badge.svg)](https://github.com/tjungbauer/helm-charts/actions/workflows/release.yml) 6 | 7 | ![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) 8 | 9 | ## Description 10 | 11 | The Argo CD resources manager is used as App-of-Apps for cluster configuration following the GitOps approach. In this folder a single values-file is stored only, while the actual Helm chart that is used is https://github.com/tjungbauer/helm-charts/tree/main/charts/helper-argocd 12 | **helper-argocd** is used to render Applications, ApplicationSets and AppProjects. 13 | 14 | Verify the local values.yaml or the README.md at https://github.com/tjungbauer/helm-charts/tree/main/charts/helper-argocd for further information. 15 | -------------------------------------------------------------------------------- /base/init_app_of_apps/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: init_app_of_apps 3 | description: Installs a single application into Argo CD, which automatically syncs all other applications and ApplicationSets. 4 | version: 2.0.0 5 | maintainers: 6 | - name: tjungbauer 7 | email: tjungbau@redhat.com 8 | url: https://blog.stderr.at/ 9 | dependencies: 10 | - name: tpl 11 | version: ~1.0.0 12 | repository: https://charts.stderr.at/ 13 | - name: helper-argocd 14 | version: ~2.0.41 15 | repository: https://charts.stderr.at/ 16 | sources: 17 | - https://github.com/tjungbauer/openshift-clusterconfig-gitops 18 | home: https://github.com/tjungbauer/openshift-clusterconfig-gitops/tree/main/base/init_app_of_apps 19 | keywords: 20 | - helper 21 | - subchart 22 | - gitops 23 | -------------------------------------------------------------------------------- /base/init_app_of_apps/LICENSE: -------------------------------------------------------------------------------- 1 | Copyright 2022 Thomas Jungbauer 2 | 3 | Licensed under the Apache License, Version 2.0 (the "License"); 4 | you may not use this file except in compliance with the License. 5 | You may obtain a copy of the License at 6 | 7 | http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | Unless required by applicable law or agreed to in writing, software 10 | distributed under the License is distributed on an "AS IS" BASIS, 11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | See the License for the specific language governing permissions and 13 | limitations under the License. -------------------------------------------------------------------------------- /base/init_app_of_apps/templates/_helpers.tpl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tjungbauer/openshift-clusterconfig-gitops/d47d85acc9324972e253db70a46fa16ee3c17d28/base/init_app_of_apps/templates/_helpers.tpl -------------------------------------------------------------------------------- /base/init_app_of_apps/values.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | helper-argocd: 3 | applications: 4 | argocd-resources-manager: 5 | enabled: true 6 | server: https://kubernetes.default.svc 7 | namespace: {} 8 | project: default 9 | description: "This is the starting point which will initialize all applicationsets or argocd applications" 10 | labels: 11 | category: test 12 | syncPolicy: 13 | autosync_enabled: true 14 | syncpolicy_prune: true 15 | syncpolicy_selfheal: true 16 | 17 | multiple_sources: 18 | # Define repository of the values-file 19 | - repoUrl: https://github.com/tjungbauer/openshift-clusterconfig-gitops 20 | targetRevision: main 21 | ref: values 22 | # Define Helm Chart repository 23 | - repoUrl: "https://charts.stderr.at/" 24 | chart: helper-argocd 25 | targetRevision: 2.0.41 26 | # Path to the values file 27 | helm: 28 | default_values_file: $values/base/argocd-resources-manager/values.yaml 29 | 30 | general: 31 | server: dummy 32 | -------------------------------------------------------------------------------- /clusters/all/base-operators/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: deploy-base-operators 3 | description: Deploy base operators WITHOUT any additional configuration. This simply adds the Subscription and leave further configuration to you or another Chart. 4 | version: 1.0.0 5 | dependencies: 6 | - name: helper-operator 7 | version: ~1.0.0 8 | repository: https://charts.stderr.at/ 9 | maintainers: 10 | - name: tjungbauer 11 | -------------------------------------------------------------------------------- /clusters/all/base-operators/LICENSE: -------------------------------------------------------------------------------- 1 | Copyright 2022 Thomas Jungbauer 2 | 3 | Licensed under the Apache License, Version 2.0 (the "License"); 4 | you may not use this file except in compliance with the License. 5 | You may obtain a copy of the License at 6 | 7 | http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | Unless required by applicable law or agreed to in writing, software 10 | distributed under the License is distributed on an "AS IS" BASIS, 11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | See the License for the specific language governing permissions and 13 | limitations under the License. -------------------------------------------------------------------------------- /clusters/all/base-operators/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tjungbauer/openshift-clusterconfig-gitops/d47d85acc9324972e253db70a46fa16ee3c17d28/clusters/all/base-operators/README.md -------------------------------------------------------------------------------- /clusters/all/base-operators/templates/_helpers.tpl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tjungbauer/openshift-clusterconfig-gitops/d47d85acc9324972e253db70a46fa16ee3c17d28/clusters/all/base-operators/templates/_helpers.tpl -------------------------------------------------------------------------------- /clusters/all/project-onboarding/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: proj-onboarding 3 | description: This Chart shall deploy namespaces and their depending resources, like NetworkPolicies or Quotas etc. 4 | version: 1.0.5 5 | dependencies: 6 | - name: tpl 7 | version: ~1.0.0 8 | repository: https://charts.stderr.at/ 9 | - name: helper-proj-onboarding 10 | version: ~1.0.0 11 | repository: https://charts.stderr.at/ 12 | maintainers: 13 | - name: tjungbauer 14 | -------------------------------------------------------------------------------- /clusters/all/project-onboarding/README.md: -------------------------------------------------------------------------------- 1 | TODO 2 | -------------------------------------------------------------------------------- /clusters/all/project-onboarding/templates/_helpers.tpl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tjungbauer/openshift-clusterconfig-gitops/d47d85acc9324972e253db70a46fa16ee3c17d28/clusters/all/project-onboarding/templates/_helpers.tpl -------------------------------------------------------------------------------- /clusters/all/project-onboarding/templates/argocd-project.yaml: -------------------------------------------------------------------------------- 1 | {{ if eq ( .Values.rbac_standalone | toString) "true" }} 2 | {{- range $key, $value := .Values.namespaces }} 3 | 4 | {{ range $key_approject, $value_appproject := $value.argocd_rbac_setup }} 5 | {{ if eq ($value_appproject.enabled | toString) "true" }} 6 | --- 7 | apiVersion: argoproj.io/v1alpha1 8 | kind: AppProject 9 | metadata: 10 | annotations: 11 | argocd.argoproj.io/sync-wave: "1" 12 | name: {{ $value_appproject.name | replace "_" "-" }} 13 | namespace: {{ $.Values.global.application_gitops_namespace }} 14 | labels: 15 | {{- include "tpl.labels" $ | nindent 4 }} 16 | spec: 17 | description: {{ $value_appproject.name | replace "_" "-" }} GitOps Project 18 | clusterResourceWhitelist: 19 | - group: '*' 20 | kind: '*' 21 | roles: 22 | {{- range $role_key, $role_value := $value_appproject.rbac }} 23 | - name: {{ .name }} 24 | description: {{ .description | quote }} 25 | groups: 26 | {{- if .overwrite_oidc_groups }} 27 | {{- range .overwrite_oidc_groups }} 28 | - '{{ . }}' 29 | {{- end }} 30 | {{- else if $.Values.allowed_oidc_groups }} 31 | {{- range $.Values.allowed_oidc_groups }} 32 | - '{{ . }}' 33 | {{- end }} 34 | {{- else }} 35 | - dummy-group 36 | {{- end }} 37 | policies: 38 | {{- range .policies }} 39 | - 'p, proj:{{ $value_appproject.name }}:{{ $role_value.name }}, {{ .resource | default "applications" }}, {{ .action }}, {{ $value_appproject.name }}/{{ .object | default "*" }}, {{ .permission | default "deny" }}' 40 | {{- end }} 41 | {{- end }} 42 | sourceRepos: 43 | {{- if $value_appproject.sourceRepos }} 44 | {{- range $value_appproject.sourceRepos }} 45 | - '{{ . }}' 46 | {{- end }} 47 | {{- else if $.Values.allowed_source_repos }} 48 | {{- range $.Values.allowed_source_repos }} 49 | - '{{ . }}' 50 | {{- end }} 51 | {{- else if $.Values.global.allowed_source_repos }} 52 | {{- range $.Values.global.allowed_source_repos }} 53 | - '{{ . }}' 54 | {{- end }} 55 | {{- end }} 56 | 57 | {{- /* 58 | Get global values and find the URL and name of the cluster 59 | */}} 60 | destinations: 61 | {{- range $allowedenv_key, $allowedenv_value := $.Values.allowed_envs }} 62 | {{- range $envs_key, $envs_value := $.Values.global.envs }} 63 | {{- if eq ($envs_value.name | toString) ($allowedenv_value | toString) }} 64 | {{- $cluster_name := $envs_value.name }} 65 | {{- $cluster_url := $envs_value.url }} 66 | - name: {{ $cluster_name }} 67 | namespace: {{ $value.url }} 68 | server: {{ $cluster_url }} 69 | {{- end }} 70 | {{- end }} 71 | {{- end }} 72 | {{- end }} 73 | 74 | 75 | {{- end }} 76 | {{- end }} 77 | {{- end }} -------------------------------------------------------------------------------- /clusters/all/project-onboarding/values.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | -------------------------------------------------------------------------------- /clusters/management-cluster/applications-gitops/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: gitops-deployment 3 | description: Deployment of a GitOps for Application Management 4 | version: 1.0.0 5 | dependencies: 6 | - name: openshift-gitops 7 | version: ~1.0.5 8 | repository: https://charts.stderr.at 9 | - name: tpl 10 | version: ~1.0.0 11 | repository: https://charts.stderr.at/ 12 | maintainers: 13 | - name: tjungbauer 14 | -------------------------------------------------------------------------------- /clusters/management-cluster/applications-gitops/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | # GitOps instance for Application workload 4 | 5 | [![License](https://img.shields.io/badge/License-Apache_2.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) 6 | [![Linting](https://github.com/tjungbauer/openshift-clusterconfig-gitops/actions/workflows/linting.yml/badge.svg)](https://github.com/tjungbauer/openshift-clusterconfig-gitops/actions/workflows/linting.yml) 7 | 8 | 9 | ## Description 10 | 11 | The default instance of Argo CD (openshift gitops operator) has more permissions than you usually want to have. Too many privileges than you want to give developers for workload onboarding. 12 | Therefore, a 2nd (or even more) Argo CD instance can be deployed. This Helm chart will help you configure this instance. 13 | 14 | ## Dependencies 15 | 16 | This chart has the following dependencies: 17 | 18 | | Repository | Name | Version | 19 | |------------|------|---------| 20 | | https://charts.stderr.at/ | openshift-gitops | ~1.0.5 | 21 | 22 | ## Maintainers 23 | 24 | | Name | Email | Url | 25 | | ---- | ------ | --- | 26 | | tjungbauer | | | 27 | 28 | ## Sources 29 | Source: 30 | * 31 | * 32 | * 33 | 34 | Source code: https://github.com/tjungbauer/helm-charts/tree/main/charts/openshift-gitops 35 | 36 | ## Parameters 37 | 38 | Verify the sub-charts for a documentation of the possible settings: 39 | 40 | * [openshift-gitops](https://github.com/tjungbauer/helm-charts/tree/main/charts/openshift-gitops) 41 | 42 | ## Example 43 | 44 | ```yaml 45 | --- 46 | hostname: &hostname gitops.apps.prod.ocp.cluster 47 | 48 | openshift-gitops: 49 | gitopsinstances: 50 | gitops_application: 51 | enabled: true 52 | namespace: gitops-application 53 | clusterAdmin: disabled 54 | 55 | server: 56 | # host: *hostname 57 | route: 58 | enabled: true 59 | 60 | generic_config: 61 | disableAdmin: true 62 | resourceTrackingMethod: annotation 63 | kustomizeBuildOptions: "--enable-helm" 64 | 65 | controller: {} 66 | ha: {} 67 | redis: {} 68 | repo: {} 69 | appset: {} 70 | sso: 71 | dex: 72 | openShiftOAuth: true 73 | 74 | rbac: 75 | defaultRole: 'role:none' 76 | 77 | policy: |- 78 | # Access Control 79 | g, system:cluster-admins, role:admin 80 | g, cluster-admin, role:admin 81 | p, role:none, applications, get, */*, deny 82 | p, role:none, certificates, get, *, deny 83 | p, role:none, clusters, get, *, deny 84 | p, role:none, repositories, get, *, deny 85 | p, role:none, projects, get, *, deny 86 | p, role:none, accounts, get, *, deny 87 | p, role:none, gpgkeys, get, *, deny 88 | scopes: '[groups]' 89 | 90 | resourceExclusions: |- 91 | # resources to be excluded 92 | - apiGroups: 93 | - tekton.dev 94 | clusters: 95 | - '*' 96 | kinds: 97 | - TaskRun 98 | - PipelineRun 99 | 100 | # This will create some default health checks I usually add. 101 | # * ClusterLogging, * Application (Argo CD), * Lokistack, * Subcription, * Central (ACS), InstallPlan 102 | # @default -- false 103 | default_resourceHealthChecks: true 104 | ``` 105 | 106 | This will create a 2nd Argo CD instance in the namespace "gitops-application" -------------------------------------------------------------------------------- /clusters/management-cluster/applications-gitops/config.json: -------------------------------------------------------------------------------- 1 | { 2 | "namespace": "application-gitops", 3 | "environment": "in-cluster" 4 | } -------------------------------------------------------------------------------- /clusters/management-cluster/applications-gitops/templates/gitops-rolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{ with index .Values "openshift-gitops" }} 2 | {{- range $key, $value := .gitopsinstances }} 3 | {{ if eq ($value.enabled | toString) "true" }} 4 | --- 5 | apiVersion: rbac.authorization.k8s.io/v1 6 | kind: RoleBinding 7 | metadata: 8 | name: {{ $key | replace "_" "-" }}-rolebinding 9 | namespace: {{ $value.namespace | default "openshift-operators" | quote }} 10 | labels: 11 | {{- include "tpl.labels" $ | nindent 4 }} 12 | roleRef: 13 | apiGroup: rbac.authorization.k8s.io 14 | kind: Role 15 | name: {{ $key | replace "_" "-" }}-role 16 | subjects: 17 | - kind: ServiceAccount 18 | name: gitops-application-argocd-application-controller 19 | namespace: {{ .namespace | default "openshift-operators" | quote }} 20 | {{- end }} 21 | {{- end }} 22 | {{- end }} 23 | -------------------------------------------------------------------------------- /clusters/management-cluster/applications-gitops/templates/gitops-roles.yaml: -------------------------------------------------------------------------------- 1 | {{ with index .Values "openshift-gitops" }} 2 | {{- range $key, $value := .gitopsinstances }} 3 | {{ if eq ($value.enabled | toString) "true" }} 4 | --- 5 | apiVersion: rbac.authorization.k8s.io/v1 6 | kind: Role 7 | metadata: 8 | name: {{ $key | replace "_" "-" }}-role 9 | namespace: {{ $value.namespace | default "openshift-operators" | quote }} 10 | labels: 11 | {{- include "tpl.labels" $ | nindent 4 }} 12 | rules: 13 | - apiGroups: 14 | - "*" 15 | resources: 16 | - "*" 17 | verbs: 18 | - Get 19 | - List 20 | - Watch 21 | - Patch 22 | {{- end }} 23 | {{- end }} 24 | {{- end }} 25 | -------------------------------------------------------------------------------- /clusters/management-cluster/applications-gitops/values.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | hostname: &hostname gitops.apps.prod.ocp.cluster 3 | 4 | openshift-gitops: 5 | gitopsinstances: 6 | gitops_application: 7 | enabled: true 8 | namespace: gitops-application 9 | clusterAdmin: disabled 10 | 11 | server: 12 | host: *hostname 13 | route: 14 | enabled: true 15 | 16 | generic_config: 17 | disableAdmin: true 18 | resourceTrackingMethod: annotation 19 | kustomizeBuildOptions: "--enable-helm" 20 | 21 | controller: {} 22 | ha: {} 23 | redis: {} 24 | repo: {} 25 | appset: {} 26 | sso: 27 | enabled: true 28 | dex: 29 | openShiftOAuth: true 30 | 31 | rbac: 32 | defaultRole: 'role:none' 33 | 34 | policy: |- 35 | # Access Control 36 | g, system:cluster-admins, role:admin 37 | g, cluster-admin, role:admin 38 | p, role:none, applications, get, */*, deny 39 | p, role:none, certificates, get, *, deny 40 | p, role:none, clusters, get, *, deny 41 | p, role:none, repositories, get, *, deny 42 | p, role:none, projects, get, *, deny 43 | p, role:none, accounts, get, *, deny 44 | p, role:none, gpgkeys, get, *, deny 45 | scopes: '[groups]' 46 | 47 | resourceExclusions: |- 48 | # resources to be excluded 49 | - apiGroups: 50 | - tekton.dev 51 | clusters: 52 | - '*' 53 | kinds: 54 | - TaskRun 55 | - PipelineRun 56 | 57 | # This will create some default health checks I usually add. 58 | # * ClusterLogging, * Application (Argo CD), * Lokistack, * Subcription, * Central (ACS), InstallPlan 59 | # @default -- false 60 | default_resourceHealthChecks: true 61 | -------------------------------------------------------------------------------- /clusters/management-cluster/branding/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: clusterbranding 3 | description: Deploys Cluster Branding such as custom Login Page or Logo etc. 4 | version: 1.0.1 5 | dependencies: 6 | - name: generic-cluster-config 7 | version: ~1.0.10 8 | repository: https://charts.stderr.at/ 9 | maintainers: 10 | - name: tjungbauer 11 | email: tjungbau@redhat.com 12 | url: https://blog.stderr.at/ 13 | sources: 14 | - https://github.com/tjungbauer/helm-charts 15 | - https://charts.stderr.at/ 16 | - https://github.com/tjungbauer/openshift-clusterconfig-gitops 17 | keywords: 18 | - secure-supply-chain 19 | - security 20 | -------------------------------------------------------------------------------- /clusters/management-cluster/branding/LICENSE: -------------------------------------------------------------------------------- 1 | Copyright 2022 Thomas Jungbauer 2 | 3 | Licensed under the Apache License, Version 2.0 (the "License"); 4 | you may not use this file except in compliance with the License. 5 | You may obtain a copy of the License at 6 | 7 | http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | Unless required by applicable law or agreed to in writing, software 10 | distributed under the License is distributed on an "AS IS" BASIS, 11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | See the License for the specific language governing permissions and 13 | limitations under the License. -------------------------------------------------------------------------------- /clusters/management-cluster/branding/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | # clusterbranding 4 | 5 | [![License](https://img.shields.io/badge/License-Apache_2.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) 6 | [![Linting](https://github.com/tjungbauer/openshift-clusterconfig-gitops/actions/workflows/linting.yml/badge.svg)](https://github.com/tjungbauer/openshift-clusterconfig-gitops/actions/workflows/linting.yml) 7 | [![Release Charts](https://github.com/tjungbauer/helm-charts/actions/workflows/release.yml/badge.svg)](https://github.com/tjungbauer/helm-charts/actions/workflows/release.yml) 8 | 9 | ![Version: 1.0.1](https://img.shields.io/badge/Version-1.0.1-informational?style=flat-square) 10 | 11 | 12 | 13 | ## Description 14 | 15 | Deploys Cluster Branding such as custom Login Page or Logo etc. 16 | 17 | This Helm Chart will create Top and/or Bottom banners for the OpenShift WebUI. 18 | The values are passed to the sub-chart **generic-cluster-config**. 19 | 20 | Verify the README of the Helm Chart [generic-cluster-config](https://github.com/tjungbauer/helm-charts/tree/main/charts/generic-cluster-config) for further information. 21 | 22 | ## Dependencies 23 | 24 | This chart has the following dependencies: 25 | 26 | | Repository | Name | Version | 27 | |------------|------|---------| 28 | | https://charts.stderr.at/ | generic-cluster-config | ~1.0.10 | 29 | 30 | ## Maintainers 31 | 32 | | Name | Email | Url | 33 | | ---- | ------ | --- | 34 | | tjungbauer | | | 35 | 36 | ## Sources 37 | Source: 38 | * 39 | * 40 | * 41 | 42 | Source code: 43 | 44 | ## Example 45 | 46 | ```yaml 47 | --- 48 | generic-cluster-config: 49 | console: 50 | console_banners: 51 | topbanner: 52 | enabled: true 53 | text: 'Management Cluster' 54 | location: BannerTop 55 | color: "#FFFFFF" 56 | backgroundcolor: '#0088ee' 57 | bottombanner: 58 | enabled: false 59 | text: Copyright © 2024 Sample Company, Inc. | 60 | location: BannerBottom 61 | color: "#FFFFFF" 62 | backgroundcolor: '#000' 63 | link: 64 | href: 'https://www.example.com/data-protection-policy' 65 | text: Data Protection and Privacy Policy 66 | ``` 67 | 68 | ---------------------------------------------- 69 | Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0) 70 | -------------------------------------------------------------------------------- /clusters/management-cluster/branding/README.md.gotmpl: -------------------------------------------------------------------------------- 1 | {{ template "doc.header" . }} 2 | 3 | This Helm Chart will create Top and/or Bottom banners for the OpenShift WebUI. 4 | The values are passed to the sub-chart **generic-cluster-config**. 5 | 6 | Verify the README of the Helm Chart [generic-cluster-config](https://github.com/tjungbauer/helm-charts/tree/main/charts/generic-cluster-config) for further information. 7 | 8 | {{ template "doc.deps" . }} 9 | 10 | {{ template "doc.maintainer_and_sources" . }} 11 | 12 | ## Example 13 | 14 | ```yaml 15 | --- 16 | generic-cluster-config: 17 | console: 18 | console_banners: 19 | topbanner: 20 | enabled: true 21 | text: 'Management Cluster' 22 | location: BannerTop 23 | color: "#FFFFFF" 24 | backgroundcolor: '#0088ee' 25 | bottombanner: 26 | enabled: false 27 | text: Copyright © 2024 Sample Company, Inc. | 28 | location: BannerBottom 29 | color: "#FFFFFF" 30 | backgroundcolor: '#000' 31 | link: 32 | href: 'https://www.example.com/data-protection-policy' 33 | text: Data Protection and Privacy Policy 34 | ``` 35 | 36 | {{ template "doc.footer" . }} 37 | -------------------------------------------------------------------------------- /clusters/management-cluster/branding/config.json: -------------------------------------------------------------------------------- 1 | { 2 | "namespace": "default", 3 | "environment": "in-cluster", 4 | } -------------------------------------------------------------------------------- /clusters/management-cluster/branding/templates/_helpers.tpl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tjungbauer/openshift-clusterconfig-gitops/d47d85acc9324972e253db70a46fa16ee3c17d28/clusters/management-cluster/branding/templates/_helpers.tpl -------------------------------------------------------------------------------- /clusters/management-cluster/branding/values.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | generic-cluster-config: 3 | console: 4 | console_banners: 5 | topbanner: 6 | enabled: true 7 | text: 'Management Cluster' 8 | location: BannerTop 9 | color: "#FFFFFF" 10 | backgroundcolor: '#FF0000' 11 | bottombanner: 12 | enabled: false 13 | text: Copyright © 2024 Sample Company, Inc. | 14 | location: BannerBottom 15 | color: "#FFFFFF" 16 | backgroundcolor: '#000' 17 | link: 18 | href: 'https://www.example.com/data-protection-policy' 19 | text: Data Protection and Privacy Policy 20 | -------------------------------------------------------------------------------- /clusters/management-cluster/cert-manager/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: cert-manager 3 | description: Setup and configure the cert Manager operator 4 | home: https://github.com/tjungbauer/openshift-clusterconfig-gitops/tree/main/clusters/management-cluster/cert-manager 5 | version: 2.0.0 6 | dependencies: 7 | - name: tpl 8 | version: ~1.0.0 9 | repository: https://charts.stderr.at/ 10 | - name: helper-operator 11 | version: ~1.0.21 12 | repository: https://charts.stderr.at/ 13 | - name: helper-status-checker 14 | version: ~4.0.0 15 | repository: https://charts.stderr.at/ 16 | condition: helper-status-checker.enabled 17 | - name: cert-manager 18 | version: ~2.0.0 19 | repository: https://charts.stderr.at/ 20 | - name: cert-manager-approver-policy 21 | version: v0.19.0 22 | repository: https://charts.jetstack.io 23 | maintainers: 24 | - name: tjungbauer 25 | email: tjungbau@redhat.com 26 | url: https://blog.stderr.at/ 27 | sources: 28 | - https://github.com/tjungbauer/helm-charts 29 | - https://charts.stderr.at/ 30 | - https://github.com/tjungbauer/openshift-clusterconfig-gitops 31 | keywords: 32 | - compliance 33 | - security 34 | -------------------------------------------------------------------------------- /clusters/management-cluster/cert-manager/LICENSE: -------------------------------------------------------------------------------- 1 | Copyright 2022 Thomas Jungbauer 2 | 3 | Licensed under the Apache License, Version 2.0 (the "License"); 4 | you may not use this file except in compliance with the License. 5 | You may obtain a copy of the License at 6 | 7 | http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | Unless required by applicable law or agreed to in writing, software 10 | distributed under the License is distributed on an "AS IS" BASIS, 11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | See the License for the specific language governing permissions and 13 | limitations under the License. -------------------------------------------------------------------------------- /clusters/management-cluster/cert-manager/config.json: -------------------------------------------------------------------------------- 1 | { 2 | "namespace": "cert-manager", 3 | "environment": "in-cluster", 4 | "cluster": "in-cluster" 5 | } -------------------------------------------------------------------------------- /clusters/management-cluster/cert-manager/templates/ClusterRole-Approver-Policy-approving.yaml: -------------------------------------------------------------------------------- 1 | kind: ClusterRole 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | metadata: 4 | name: {{ .Values.role | quote }} 5 | labels: 6 | {{- include "tpl.labels" $ | nindent 4 }} 7 | rules: 8 | - verbs: 9 | - use 10 | apiGroups: 11 | - policy.cert-manager.io 12 | resources: 13 | - certificaterequestpolicies 14 | resourceNames: 15 | {{- range .Values.policies }} 16 | {{- if eq (.enabled | toString) "true" }} 17 | - {{ .name }} 18 | {{- end }} 19 | {{- end }} 20 | -------------------------------------------------------------------------------- /clusters/management-cluster/cert-manager/templates/ClusterRoleBinding-Approver-Policy-approving.yaml: -------------------------------------------------------------------------------- 1 | kind: ClusterRoleBinding 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | metadata: 4 | name: {{ .Values.role | quote }} 5 | labels: 6 | {{- include "tpl.labels" $ | nindent 4 }} 7 | subjects: 8 | - kind: ServiceAccount 9 | name: {{ .Values.serviceAccount }} 10 | namespace: {{ .Values.cert_manager_Namespace }} 11 | roleRef: 12 | apiGroup: rbac.authorization.k8s.io 13 | kind: ClusterRole 14 | name: {{ .Values.role | quote }} 15 | -------------------------------------------------------------------------------- /clusters/management-cluster/cert-manager/templates/SealedSecret-Credentials.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: bitnami.com/v1alpha1 3 | kind: SealedSecret 4 | metadata: 5 | creationTimestamp: null 6 | name: prod-route53-credentials-secret 7 | namespace: cert-manager 8 | spec: 9 | encryptedData: 10 | access-key-id: AgCfy6kcCbUwJm8lQlgogiujjwlEmS09NB4e7VXB4ySmIndx14iOVMDgYH31897biPFSyR231c9aeYC839rZhWBVzGF6DD7DZ1It9aKhDEWGsNqBtpvTXBKy2o1Y62BLpFup4q0St87ehj/CmqLhAzU3bkfjcsDW/ZKSyfMI9BV9/EQ+c204Nx+vOLc/j2r8P43xITyhzg8qHg+zB/Bs50UqdD+lK1qlKCZy8kOh6oZ5oavKZtlRWhs85wSQOMAf/3d07k1hkIslLx5wLcqC/sQcxk9Gq5fJyVxuMBHyaMbjDy7XuT4y32lkTzMKNw4pllcR/Q660m5muB/Gb46X4qguoQ8JO72yR4WaVWQnLTni32Nj01lfDMGwomK2m1830axVz9wzwcMSsZOrbyAmb3yvY3mHfgvJJ7nIB91rz/JCRQIeQcSEzmeOvv8hGxsoqO//3//BNaM/r6rsRUUUzV/XszvDEycU6rhSUGJDq+GGYLvP7nRG1NnETP0d6Vo7ZTkOrKq8WUkOKtZhw9m+WayUedZCMsXmhypGirC80ZpHxQz3hAdTh21fFpRPTrbWKXdxD2kvV3uQ1mRvlNcdnMjO6GxdMR/LpI6qIO+qVNdqgMmJ+gkyDD3DK+tBne6FEMxdNq3H+Ef9npfsIir3vHkp/y78S83CKSrqY+hqWNXDa4c6DfwTDMi2rPNrSzLMTu/PTz/dv5em6z+b60E8ptuUBRTlVQ== 11 | secret-access-key: AgArsykG+RKJ46f0+Yu+w9M3Gtli5G2nxv/22JCzg848KxlQYlK/zac50FxeS0I9IT3cmFQNx/f3sEEDnWO4nwxFmPowMrep2p1KyeaY4QD3fiDP2X8SdGr2CmoXVOTSUeM8vAYi4EMKVEwmiyyME9HxPckhY9lBUfIMs9ZClLq63ARZoWNSyroRiwnvFy6lY6igPxyFli26m0t75QDVg21xS9kIEsEFslAY1QWSyHQa2PgdZ2CCFrnoVzSzzFal+X66ojWnqZsK9zKBAeWCzf6k/v+Hr3JPbeCe30wb3abgUqYUcD8FAEA4LUTLH01S8dFb+P6V06IPqRaKnTr+dr7aSsKvoqtk3bZ0rtLWC6T2Qf+Lyf1BiHnB4WnPEKA7sjvfopRwV3Uw/6rikfYimOm4IT1IMUDBnc1KeyFPu4gktNFTeja9VzCrPKJZhDgCJOkWflt+CZnFYnPAUc8+Z+BdPnGP0TiYPIK0d4z/ykbZ04HcyH5x9qMp4JhFmBkTxnWZ6IaJGXlndRvrZPiqPOR+PUS2/s6TtAYApkkeowgh6DB4oPt+7234b+nlDDtE94D4oqif1BD63YQhp1dDMRotW0eCr5ToHPnGygTzzLZnhH6/Fpsu6vXWEL+CjhvxjzVBdC1++Wkd47+LsiuV0IWT9Gvq92ub+1W/oe0+gwk7KU9oIUxHUym6sU5Wtxcz5gd0hpjuYKl+gXHHJ3WDpyTFBwcg+mka+CiXkKSqcSb184GbNd/h03+1 12 | template: 13 | metadata: 14 | creationTimestamp: null 15 | name: prod-route53-credentials-secret 16 | namespace: cert-manager 17 | -------------------------------------------------------------------------------- /clusters/management-cluster/cert-manager/templates/_helpers.tpl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tjungbauer/openshift-clusterconfig-gitops/d47d85acc9324972e253db70a46fa16ee3c17d28/clusters/management-cluster/cert-manager/templates/_helpers.tpl -------------------------------------------------------------------------------- /clusters/management-cluster/clusterconfig-apiserver/Chart.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v2 3 | name: clusterconfig-apiserver 4 | description: Enables ETCD encryption, customer certificate and audit-profile for APIServer 5 | version: 1.0.2 6 | dependencies: 7 | - name: tpl 8 | version: ~1.0.0 9 | repository: https://charts.stderr.at/ 10 | - name: generic-cluster-config 11 | version: ~1.0.10 12 | repository: https://charts.stderr.at 13 | - name: cert-manager 14 | version: ~1.0.0 15 | repository: https://charts.stderr.at/ 16 | condition: cert-manager.enabled 17 | maintainers: 18 | - name: tjungbauer 19 | email: tjungbau@redhat.com 20 | url: https://blog.stderr.at/ 21 | sources: 22 | - https://github.com/tjungbauer/openshift-clusterconfig-gitops 23 | - https://github.com/tjungbauer/helm-charts 24 | - https://charts.stderr.at/ 25 | home: https://github.com/tjungbauer/openshift-clusterconfig-gitops/tree/main/clusters/all/etcd-encryption 26 | keywords: 27 | - security 28 | -------------------------------------------------------------------------------- /clusters/management-cluster/clusterconfig-apiserver/LICENSE: -------------------------------------------------------------------------------- 1 | Copyright 2022 Thomas Jungbauer 2 | 3 | Licensed under the Apache License, Version 2.0 (the "License"); 4 | you may not use this file except in compliance with the License. 5 | You may obtain a copy of the License at 6 | 7 | http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | Unless required by applicable law or agreed to in writing, software 10 | distributed under the License is distributed on an "AS IS" BASIS, 11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | See the License for the specific language governing permissions and 13 | limitations under the License. -------------------------------------------------------------------------------- /clusters/management-cluster/clusterconfig-apiserver/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | # clusterconfig-apiserver 4 | 5 | [![License](https://img.shields.io/badge/License-Apache_2.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) 6 | [![Linting](https://github.com/tjungbauer/openshift-clusterconfig-gitops/actions/workflows/linting.yml/badge.svg)](https://github.com/tjungbauer/openshift-clusterconfig-gitops/actions/workflows/linting.yml) 7 | [![Release Charts](https://github.com/tjungbauer/helm-charts/actions/workflows/release.yml/badge.svg)](https://github.com/tjungbauer/helm-charts/actions/workflows/release.yml) 8 | 9 | ![Version: 1.0.2](https://img.shields.io/badge/Version-1.0.2-informational?style=flat-square) 10 | 11 | 12 | 13 | ## Description 14 | 15 | Enables ETCD encryption, customer certificate and audit-profile for APIServer 16 | 17 | Enable ETCD encryption on the clusters and order a certificate for the APIServer. 18 | This chart uses the Subcharts: generic-cluster-config and cert-manager 19 | 20 | ## Dependencies 21 | 22 | This chart has the following dependencies: 23 | 24 | | Repository | Name | Version | 25 | |------------|------|---------| 26 | | https://charts.stderr.at/ | cert-manager | ~1.0.0 | 27 | | https://charts.stderr.at/ | tpl | ~1.0.0 | 28 | | https://charts.stderr.at | generic-cluster-config | ~1.0.10 | 29 | 30 | It is best used with a full GitOps approach such as Argo CD does. For example, https://github.com/tjungbauer/openshift-clusterconfig-gitops 31 | 32 | ## Maintainers 33 | 34 | | Name | Email | Url | 35 | | ---- | ------ | --- | 36 | | tjungbauer | | | 37 | 38 | ## Sources 39 | Source: 40 | * 41 | * 42 | * 43 | 44 | Source code: https://github.com/tjungbauer/openshift-clusterconfig-gitops/tree/main/clusters/all/etcd-encryption 45 | 46 | ## Parameters 47 | Verify the appropriate sub-charts for a full list of parameters. 48 | 49 | ## Example values 50 | 51 | ```yaml 52 | --- 53 | generic-cluster-config: 54 | apiserver: 55 | enabled: true 56 | 57 | # audit configuration 58 | audit: 59 | profile: Default 60 | 61 | # Configure a custom certificate for the API server 62 | custom_cert: 63 | enabled: false 64 | 65 | cert_names: 66 | - api.ocp.aws.ispworld.at 67 | 68 | secretname: api-certificate 69 | 70 | etcd_encryption: 71 | enabled: true 72 | encryption_type: aesgcm 73 | 74 | namespace: kube-system 75 | 76 | serviceAccount: 77 | create: true 78 | name: "etcd-encryption-checker" 79 | 80 | cert-manager: 81 | enabled: true 82 | 83 | certificates: 84 | enabled: true 85 | 86 | # List of certificates 87 | certificate: 88 | - name: api-certificate 89 | enabled: true 90 | namespace: openshift-config 91 | syncwave: "0" 92 | secretName: api-certificate 93 | 94 | dnsNames: 95 | - api.ocp.aws.ispworld.at 96 | 97 | # Reference to the issuer that shall be used. 98 | issuerRef: 99 | name: letsencrypt-prod 100 | kind: ClusterIssuer 101 | 102 | ``` 103 | 104 | ---------------------------------------------- 105 | Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0) 106 | -------------------------------------------------------------------------------- /clusters/management-cluster/clusterconfig-apiserver/README.md.gotmpl: -------------------------------------------------------------------------------- 1 | {{ template "doc.header" . }} 2 | 3 | Enable ETCD encryption on the clusters and order a certificate for the APIServer. 4 | This chart uses the Subcharts: generic-cluster-config and cert-manager 5 | 6 | {{ template "doc.deps" . }} 7 | 8 | It is best used with a full GitOps approach such as Argo CD does. For example, https://github.com/tjungbauer/openshift-clusterconfig-gitops 9 | 10 | {{ template "doc.maintainer_and_sources" . }} 11 | 12 | ## Parameters 13 | Verify the appropriate sub-charts for a full list of parameters. 14 | 15 | ## Example values 16 | 17 | ```yaml 18 | --- 19 | generic-cluster-config: 20 | apiserver: 21 | enabled: true 22 | 23 | # audit configuration 24 | audit: 25 | profile: Default 26 | 27 | # Configure a custom certificate for the API server 28 | custom_cert: 29 | enabled: false 30 | 31 | cert_names: 32 | - api.ocp.aws.ispworld.at 33 | 34 | secretname: api-certificate 35 | 36 | etcd_encryption: 37 | enabled: true 38 | encryption_type: aesgcm 39 | 40 | namespace: kube-system 41 | 42 | serviceAccount: 43 | create: true 44 | name: "etcd-encryption-checker" 45 | 46 | cert-manager: 47 | enabled: true 48 | 49 | certificates: 50 | enabled: true 51 | 52 | # List of certificates 53 | certificate: 54 | - name: api-certificate 55 | enabled: true 56 | namespace: openshift-config 57 | syncwave: "0" 58 | secretName: api-certificate 59 | 60 | dnsNames: 61 | - api.ocp.aws.ispworld.at 62 | 63 | # Reference to the issuer that shall be used. 64 | issuerRef: 65 | name: letsencrypt-prod 66 | kind: ClusterIssuer 67 | 68 | ``` 69 | 70 | {{ template "doc.footer" . }} 71 | -------------------------------------------------------------------------------- /clusters/management-cluster/clusterconfig-apiserver/config.json: -------------------------------------------------------------------------------- 1 | { 2 | "namespace": "default", 3 | "environment": "in-cluster" 4 | } -------------------------------------------------------------------------------- /clusters/management-cluster/clusterconfig-apiserver/templates/_helpers.tpl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tjungbauer/openshift-clusterconfig-gitops/d47d85acc9324972e253db70a46fa16ee3c17d28/clusters/management-cluster/clusterconfig-apiserver/templates/_helpers.tpl -------------------------------------------------------------------------------- /clusters/management-cluster/clusterconfig-apiserver/values.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # -- Using subchart generic-cluster-config 3 | generic-cluster-config: 4 | apiserver: 5 | enabled: true 6 | 7 | # audit configuration 8 | audit: 9 | profile: Default 10 | 11 | # Configure a custom certificate for the API server 12 | custom_cert: 13 | enabled: true 14 | 15 | cert_names: 16 | - api.ocp.aws.ispworld.at 17 | 18 | secretname: api-certificate 19 | 20 | etcd_encryption: 21 | enabled: true 22 | encryption_type: aesgcm 23 | 24 | # -- Namespace where Job is executed that verifies the status of the encryption 25 | namespace: kube-system 26 | 27 | serviceAccount: 28 | create: true 29 | name: "etcd-encryption-checker" 30 | 31 | cert-manager: 32 | enabled: true 33 | 34 | certificates: 35 | enabled: true 36 | 37 | # List of certificates 38 | certificate: 39 | - name: api-certificate 40 | enabled: true 41 | namespace: openshift-config 42 | syncwave: "0" 43 | secretName: api-certificate 44 | 45 | dnsNames: 46 | - api.ocp.aws.ispworld.at 47 | 48 | # Reference to the issuer that shall be used. 49 | issuerRef: 50 | name: letsencrypt-prod 51 | kind: ClusterIssuer 52 | -------------------------------------------------------------------------------- /clusters/management-cluster/etcd-backup/Chart.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v2 3 | name: enable-etcd-backup 4 | description: Create a CronJob that performs ETCD Backup and stores the backup to a PV. 5 | version: 1.0.0 6 | home: https://github.com/tjungbauer/helm-charts/tree/main/charts/etcd-backup 7 | icon: https://github.com/tjungbauer/helm-charts/raw/gh-pages/images/backup.png 8 | dependencies: 9 | - name: tpl 10 | version: ~1.0.0 11 | repository: https://charts.stderr.at/ 12 | - name: etcd-backup 13 | version: ~1.0.0 14 | repository: https://charts.stderr.at/ 15 | maintainers: 16 | - name: tjungbauer 17 | email: tjungbau@redhat.com 18 | url: https://blog.stderr.at/ 19 | sources: 20 | - https://github.com/tjungbauer/helm-charts 21 | - https://charts.stderr.at/ 22 | - https://github.com/tjungbauer/openshift-clusterconfig-gitops 23 | -------------------------------------------------------------------------------- /clusters/management-cluster/etcd-backup/LICENSE: -------------------------------------------------------------------------------- 1 | Copyright 2022 Thomas Jungbauer 2 | 3 | Licensed under the Apache License, Version 2.0 (the "License"); 4 | you may not use this file except in compliance with the License. 5 | You may obtain a copy of the License at 6 | 7 | http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | Unless required by applicable law or agreed to in writing, software 10 | distributed under the License is distributed on an "AS IS" BASIS, 11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | See the License for the specific language governing permissions and 13 | limitations under the License. -------------------------------------------------------------------------------- /clusters/management-cluster/etcd-backup/config.json: -------------------------------------------------------------------------------- 1 | { 2 | "namespace": "etcd-backup", 3 | "environment": "in-cluster" 4 | } -------------------------------------------------------------------------------- /clusters/management-cluster/etcd-backup/templates/_helpers.tpl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tjungbauer/openshift-clusterconfig-gitops/d47d85acc9324972e253db70a46fa16ee3c17d28/clusters/management-cluster/etcd-backup/templates/_helpers.tpl -------------------------------------------------------------------------------- /clusters/management-cluster/etcd-backup/values.yaml: -------------------------------------------------------------------------------- 1 | name: &bu_name etcd-backup 2 | backup_storage_size: &backup_storage_size "100Gi" 3 | 4 | etcd-backup: 5 | enabled: true 6 | clusterrolebinding_name: *bu_name 7 | 8 | # Variables for the Namespace where ETCD backup shall be executed. 9 | namespace: 10 | create: true 11 | name: *bu_name 12 | displayname: "Backup ETCD Automation" 13 | description: "Openshift Backup Automation Tool" 14 | 15 | serviceAccount: *bu_name 16 | 17 | # Settings for the CronJob 18 | cronjob: 19 | name: *bu_name 20 | schedule: "0 */4 * * *" 21 | retention: 30 22 | mountpath: /etcd-backup 23 | 24 | # Settings for the PVC 25 | pvc: 26 | name: *bu_name 27 | size: *backup_storage_size 28 | storageClass: "gp3-csi" 29 | volumeName: *bu_name 30 | -------------------------------------------------------------------------------- /clusters/management-cluster/generic-clusterconfig/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: clusterconfig 3 | description: Installs cluster configuration which is usually valid for ALL clusters 4 | home: https://github.com/tjungbauer/openshift-clusterconfig-gitops/tree/main/clusters/management-cluster/generic-clusterconfig 5 | version: 1.0.1 6 | dependencies: 7 | - name: tpl 8 | version: ~1.0.0 9 | repository: https://charts.stderr.at/ 10 | - name: generic-cluster-config 11 | version: ~1.0.25 12 | repository: https://charts.stderr.at 13 | maintainers: 14 | - name: tjungbauer 15 | email: tjungbau@redhat.com 16 | url: https://blog.stderr.at/ 17 | sources: 18 | - https://github.com/tjungbauer/helm-charts 19 | - https://charts.stderr.at/ 20 | - https://github.com/tjungbauer/openshift-clusterconfig-gitops 21 | keywords: 22 | - generic 23 | - clusterconfig 24 | - gitops 25 | -------------------------------------------------------------------------------- /clusters/management-cluster/generic-clusterconfig/README.md.gotmpl: -------------------------------------------------------------------------------- 1 | {{ template "doc.header" . }} 2 | 3 | This Helm Chart will create some basic configurations for your cluster. 4 | 5 | Most values are passed to the sub-chart **generic-cluster-config**. However, some local settings inside this chart can be done. 6 | For example, a project template can be defined and a local cluster administrator group. 7 | 8 | 9 | {{ template "doc.deps" . }} 10 | 11 | {{ template "doc.maintainer_and_sources" . }} 12 | 13 | ## Local Parameters 14 | 15 | **TIP** Verify the chart(s): 16 | - [generic-cluster-config](https://github.com/tjungbauer/helm-charts/tree/main/charts/generic-cluster-config) 17 | 18 | **TIP**: Verify the values.yaml to see possible additional settings. 19 | 20 | {{ template "doc.values" . }} 21 | 22 | 23 | ## Example 24 | 25 | ```yaml 26 | --- 27 | # -- List of cluster administrators. These users will automatically get the role cluster-admin assigned. 28 | # @default -- [] 29 | cluster_admin_list: 30 | - emergency 31 | 32 | # -- Enable the settings and configuration of a project template. 33 | # The information of the template can be found in templates/projecttempalte.yaml 34 | # @default -- '' 35 | projecttemplate: 36 | # -- Shall a project template be configured? 37 | # @default -- false 38 | enabled: false 39 | 40 | # -- Name of the project template 41 | # @default -- project-template 42 | name: project-template 43 | 44 | # @ignore 45 | generic-cluster-config: 46 | ############################ 47 | # DISABLE SELF PROVISIONER # 48 | ############################ 49 | self_provisioner: 50 | deactivate: true 51 | 52 | ###################### 53 | # IDENTITY PROVIDERS # 54 | ###################### 55 | idp: 56 | enabled: true 57 | # Define provider. Currently htpasswd and LDAP are supported 58 | providers: 59 | enabled: true 60 | htpasswd: 61 | - name: HTPASSWD 62 | enabled: true 63 | secretname: htpasswd-secret 64 | 65 | ############## 66 | # MONITORING # 67 | ############## 68 | monitoring: 69 | enabled: true 70 | enableUserWorkload: true 71 | 72 | ################ 73 | # ALERTMANAGER # 74 | ################ 75 | # Configuration for the cluster (main) Alertmanager 76 | alertmanagerMain: 77 | disable_local_alertmanager: false 78 | 79 | # Add storage to Alertmanager to keep the data. 80 | storage: 81 | class: gp3-csi 82 | size: 2Gi 83 | 84 | ############## 85 | # PROMETHEUS # 86 | ############## 87 | prometheusK8s: 88 | 89 | retention: 2d 90 | 91 | # Add storage to Prometheus to keep the data. 92 | storage: 93 | class: gp3-csi 94 | size: 10Gi 95 | ``` 96 | 97 | {{ template "doc.footer" . }} 98 | -------------------------------------------------------------------------------- /clusters/management-cluster/generic-clusterconfig/config.json: -------------------------------------------------------------------------------- 1 | { 2 | "namespace": "default", 3 | "environment": "in-cluster" 4 | } -------------------------------------------------------------------------------- /clusters/management-cluster/generic-clusterconfig/templates/create-cluster-admin-binding.yaml: -------------------------------------------------------------------------------- 1 | {{if .Values.cluster_admin_list }} 2 | kind: ClusterRoleBinding 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | name: cluster-admin-crb 6 | subjects: 7 | - kind: Group 8 | apiGroup: rbac.authorization.k8s.io 9 | name: cluster-admin 10 | roleRef: 11 | apiGroup: rbac.authorization.k8s.io 12 | kind: ClusterRole 13 | name: cluster-admin 14 | {{ end }} 15 | -------------------------------------------------------------------------------- /clusters/management-cluster/generic-clusterconfig/templates/create-group-cluster-admin.yaml: -------------------------------------------------------------------------------- 1 | {{if .Values.cluster_admin_list }} 2 | kind: Group 3 | apiVersion: user.openshift.io/v1 4 | metadata: 5 | name: cluster-admin 6 | users: 7 | {{- range .Values.cluster_admin_list }} 8 | - {{ . -}} 9 | {{ end }} 10 | {{ end }} 11 | 12 | -------------------------------------------------------------------------------- /clusters/management-cluster/generic-clusterconfig/templates/htpasswd-sealed-secret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: bitnami.com/v1alpha1 3 | kind: SealedSecret 4 | metadata: 5 | creationTimestamp: null 6 | name: htpasswd-secret 7 | namespace: openshift-config 8 | spec: 9 | encryptedData: 10 | htpasswd: AgBmPdbFdCR/+vKSNOwT/2B0okvv+/X2Ab6qxXTGeeZxsLBnsKz8dOgYf/TqeJjeBn95dfBxRpn/GNz4+fBKpHzVM2P/USGJE+B5a3i4/w9l1uEq/llkqnOt04BKqKCHk6ro+y3PaSJfdg9vBVpfN0ZrxvGb7h3qrmEDWHYfT+miZDqoeRQJybuuVVWtdtNjPumgG6dRQjRhg8NC+fHxqP078nRgud1/55IogQMEjl8XJJspJiK6D7Ym9Rm7k1P2iVfrHWubVdHPM+cGUW0mgzhqPFtmRQDXEoEXa93F+Z7Mrq91f2JSCC5L6luTwPpseN+tK3u/vu+f89FAP3QqAhPtGwMJ3q0B036cSgb8d4R0Nfp01rBFBPdHa619UerZR4FuefPJ9y3V2dIAdd3hi8nRkgqviSiWCxjSUFXW1dh4nSkS+wsF8s0eXofK3vP+t8SXGLI2EnErB70CC3Ac5CYmAimbwyTk65UTTBPY6QrIPWgfqgCnJ0cHcwCX71Cww8KOp+J5xMGJWgh7HopQyi8TMOH1MOXs+rnstqTtAFxJY4OITis8uvVrzwz9elv9OZmEvAOalpVRfarKYN/e40fYQ4pZ8wFdZHjVtppxtv6ciZXCDvPPHJZbfu7IlZ+9cuyWTlbSvbXBAp+ctWaYIGSKoYFTsUT5vc9VljT0pad58+jQ2WYAieV8kYzasWXYKU+zNymuXSyhQcRRbrMsCgFxJt44PJvNtzxqTUYtaTl9BEjeERdR/6WDKNQOsm9MvQNh6hN9wer0fwkBG5oLJ0y/tWi2I4Xz1i3IDZsIQSe8RCV0ubq/untJesMBOlsSiTRHxSdxhIh+BLhJnrrVBQIXyEhBZKRItxNwfrfeelydtOktGCTE0NM4N5BNseuRGsiVbzcZHfOlyckPnfGXxwsKnVM4tESL5ypaX7b8jGTOfjFh08aD56n1Tb86ZU775yMMPiiwpIOWSnqhiaF7ex7Z4KwA3llllaDTOYi8b9HkC4ULHH3h5D2wH6dUc95YtGhoBsH3z41bK5FG8CF3oM+PQZGL0zfxUkKmmG7f/r+YjO2mqCXYimFcDGmtxiHIpUg2/p6urvQjbzGYvl6jBOFQGoBWkk3doTYTPgJpc9KxepVvkDr4xynY8etSCcWeXPuAxfx68EKaf5gLybAh9SbJSpEmHGKFS8NBWjNwtore06Twi66XWGRfvi9qrA3ei+QTVqqJCHp7ediVyzDkFZBIFQ== 11 | template: 12 | metadata: 13 | creationTimestamp: null 14 | name: htpasswd-secret 15 | namespace: openshift-config 16 | -------------------------------------------------------------------------------- /clusters/management-cluster/generic-clusterconfig/templates/projectconfig.yaml: -------------------------------------------------------------------------------- 1 | {{ if .Values.projecttemplate }} 2 | {{ if eq ( .Values.projecttemplate.enabled | toString) "true" }} 3 | --- 4 | apiVersion: config.openshift.io/v1 5 | kind: Project 6 | metadata: 7 | annotations: 8 | include.release.openshift.io/ibm-cloud-managed: 'true' 9 | include.release.openshift.io/self-managed-high-availability: 'true' 10 | include.release.openshift.io/single-node-developer: 'true' 11 | release.openshift.io/create-only: 'true' 12 | name: cluster 13 | spec: 14 | projectRequestTemplate: 15 | name: {{ .Values.projecttemplate.name | default "project-template" }} 16 | {{- end }} 17 | {{- end }} 18 | -------------------------------------------------------------------------------- /clusters/management-cluster/generic-clusterconfig/templates/projecttemplate.yaml: -------------------------------------------------------------------------------- 1 | {{ if .Values.projecttemplate }} 2 | {{ if eq ( .Values.projecttemplate.enabled | toString) "true" }} 3 | --- 4 | apiVersion: template.openshift.io/v1 5 | kind: Template 6 | metadata: 7 | creationTimestamp: null 8 | name: {{ .Values.projecttemplate.name | default "project-template" }} 9 | namespace: openshift-config 10 | objects: 11 | - apiVersion: project.openshift.io/v1 12 | kind: Project 13 | metadata: 14 | annotations: 15 | openshift.io/description: ${PROJECT_DESCRIPTION} 16 | openshift.io/display-name: ${PROJECT_DISPLAYNAME} 17 | openshift.io/requester: ${PROJECT_REQUESTING_USER} 18 | creationTimestamp: null 19 | name: ${PROJECT_NAME} 20 | spec: {} 21 | status: {} 22 | - apiVersion: rbac.authorization.k8s.io/v1 23 | kind: RoleBinding 24 | metadata: 25 | creationTimestamp: null 26 | name: admin 27 | namespace: ${PROJECT_NAME} 28 | roleRef: 29 | apiGroup: rbac.authorization.k8s.io 30 | kind: ClusterRole 31 | name: admin 32 | subjects: 33 | - apiGroup: rbac.authorization.k8s.io 34 | kind: User 35 | name: ${PROJECT_ADMIN_USER} 36 | - apiVersion: networking.k8s.io/v1 37 | kind: NetworkPolicy 38 | metadata: 39 | name: allow-from-openshift-monitoring 40 | namespace: ${PROJECT_NAME} 41 | spec: 42 | ingress: 43 | - from: 44 | - namespaceSelector: 45 | matchLabels: 46 | network.openshift.io/policy-group: monitoring 47 | podSelector: {} 48 | policyTypes: 49 | - Ingress 50 | - apiVersion: networking.k8s.io/v1 51 | kind: NetworkPolicy 52 | metadata: 53 | name: allow-from-kube-apiserver-operator 54 | namespace: ${PROJECT_NAME} 55 | spec: 56 | ingress: 57 | - from: 58 | - namespaceSelector: 59 | matchLabels: 60 | kubernetes.io/metadata.name: openshift-kube-apiserver-operator 61 | podSelector: 62 | matchLabels: 63 | app: kube-apiserver-operator 64 | policyTypes: 65 | - Ingress 66 | - apiVersion: networking.k8s.io/v1 67 | kind: NetworkPolicy 68 | metadata: 69 | name: default-deny-egress 70 | namespace: ${PROJECT_NAME} 71 | spec: 72 | podSelector: {} 73 | policyTypes: 74 | - Egress 75 | - apiVersion: networking.k8s.io/v1 76 | kind: NetworkPolicy 77 | metadata: 78 | name: default-deny-ingress 79 | namespace: ${PROJECT_NAME} 80 | spec: 81 | podSelector: {} 82 | policyTypes: 83 | - Ingress 84 | parameters: 85 | - name: PROJECT_NAME 86 | - name: PROJECT_DISPLAYNAME 87 | - name: PROJECT_DESCRIPTION 88 | - name: PROJECT_ADMIN_USER 89 | - name: PROJECT_REQUESTING_USER 90 | {{- end }} 91 | {{- end }} 92 | -------------------------------------------------------------------------------- /clusters/management-cluster/generic-clusterconfig/values.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # -- List of cluster administrators. These users will automatically get the role cluster-admin assigned. 3 | # @default -- [] 4 | cluster_admin_list: 5 | - emergency 6 | 7 | # -- Enable the settings and configuration of a project template. 8 | # The information of the template can be found in templates/projecttempalte.yaml 9 | # @default -- '' 10 | projecttemplate: 11 | # -- Shall a project template be configured? 12 | # @default -- false 13 | enabled: false 14 | 15 | # -- Name of the project template 16 | # @default -- project-template 17 | name: project-template 18 | 19 | # @ignore 20 | generic-cluster-config: 21 | ############################ 22 | # DISABLE SELF PROVISIONER # 23 | ############################ 24 | self_provisioner: 25 | deactivate: true 26 | 27 | ###################### 28 | # IDENTITY PROVIDERS # 29 | ###################### 30 | idp: 31 | enabled: true 32 | # Define provider. Currently htpasswd and LDAP are supported 33 | providers: 34 | enabled: true 35 | htpasswd: 36 | - name: HTPASSWD 37 | enabled: true 38 | secretname: htpasswd-secret 39 | 40 | ############## 41 | # MONITORING # 42 | ############## 43 | monitoring: 44 | enabled: true 45 | enableUserWorkload: true 46 | 47 | ################ 48 | # ALERTMANAGER # 49 | ################ 50 | # Configuration for the cluster (main) Alertmanager 51 | alertmanagerMain: 52 | disable_local_alertmanager: false 53 | 54 | # Add storage to Alertmanager to keep the data. 55 | storage: 56 | class: gp3-csi 57 | size: 2Gi 58 | 59 | ############## 60 | # PROMETHEUS # 61 | ############## 62 | prometheusK8s: 63 | 64 | retention: 2d 65 | 66 | # Add storage to Prometheus to keep the data. 67 | storage: 68 | class: gp3-csi 69 | size: 10Gi 70 | -------------------------------------------------------------------------------- /clusters/management-cluster/idp/Archive/Keycloak/Keycloak-Client.yaml: -------------------------------------------------------------------------------- 1 | {{ if eq (.Values.keycloak.enabled | toString) "true" }} 2 | {{ range .Values.keycloak.clients }} 3 | {{ if eq (.enabled | toString) "true" }} 4 | --- 5 | apiVersion: keycloak.org/v1alpha1 6 | kind: KeycloakClient 7 | metadata: 8 | name: {{ .name }} 9 | namespace: {{ $.Values.keycloak.namespace.name }} 10 | labels: 11 | {{- toYaml .labels | nindent 4 }} 12 | {{- include "tpl.labels" $ | nindent 4 }} 13 | annotations: 14 | argocd.argoproj.io/sync-wave: {{ .syncwave | default "10" | quote }} 15 | argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true 16 | spec: 17 | client: 18 | clientAuthenticatorType: {{ .clientAuthenticatorType }} 19 | redirectUris: 20 | {{- range .redirectUris }} 21 | - {{ . | quote }} 22 | {{- end }} 23 | serviceAccountsEnabled: {{ .serviceAccountsEnabled }} 24 | clientId: {{ .clientId }} 25 | defaultClientScopes: 26 | {{- range .defaultClientScopes }} 27 | - {{ . }} 28 | {{- end }} 29 | implicitFlowEnabled: {{ .implicitFlowEnabled }} 30 | publicClient: {{ .publicClient }} 31 | standardFlowEnabled: {{ .standardFlowEnabled }} 32 | directAccessGrantsEnabled: {{ .directAccessGrantsEnabled }} 33 | realmSelector: 34 | matchLabels: 35 | {{- toYaml .labels | nindent 6 }} 36 | {{- end }} 37 | {{- end }} 38 | {{- end }} 39 | -------------------------------------------------------------------------------- /clusters/management-cluster/idp/Archive/Keycloak/Keycloak-Instance.yaml: -------------------------------------------------------------------------------- 1 | {{ if eq (.Values.keycloak.enabled | toString) "true" }} 2 | apiVersion: keycloak.org/v1alpha1 3 | kind: Keycloak 4 | metadata: 5 | labels: 6 | {{- toYaml .Values.keycloak.labels | nindent 4 }} 7 | {{- include "tpl.labels" $ | nindent 4 }} 8 | annotations: 9 | argocd.argoproj.io/sync-wave: {{ .Values.keycloak.syncwave | default "10" | quote }} 10 | argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true 11 | name: keycloak 12 | namespace: {{ .Values.keycloak.namespace.name }} 13 | spec: 14 | externalAccess: 15 | enabled: {{ .Values.keycloak.externalAccess.enabled }} 16 | instances: {{ .Values.keycloak.instances }} 17 | keycloakDeploymentSpec: 18 | imagePullPolicy: {{ .Values.keycloak.keycloakDeploymentSpec.imagePullPolicy }} 19 | postgresDeploymentSpec: 20 | imagePullPolicy: {{ .Values.keycloak.postgresDeploymentSpec.imagePullPolicy }} 21 | {{- end }} 22 | -------------------------------------------------------------------------------- /clusters/management-cluster/idp/Archive/Keycloak/Keycloak-Realm.yaml: -------------------------------------------------------------------------------- 1 | {{ if eq (.Values.keycloak.enabled | toString) "true" }} 2 | {{ range .Values.keycloak.realms }} 3 | {{ if eq (.enabled | toString) "true" }} 4 | --- 5 | apiVersion: keycloak.org/v1alpha1 6 | kind: KeycloakRealm 7 | metadata: 8 | name: {{ .name }} 9 | namespace: {{ $.Values.keycloak.namespace.name }} 10 | labels: 11 | {{- toYaml .labels | nindent 4 }} 12 | {{- include "tpl.labels" $ | nindent 4 }} 13 | annotations: 14 | argocd.argoproj.io/sync-wave: {{ .syncwave | default "10" | quote }} 15 | argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true 16 | spec: 17 | instanceSelector: 18 | matchLabels: 19 | {{- toYaml .labels | nindent 6 }} 20 | realm: 21 | displayName: {{ .displayName }} 22 | enabled: {{ .enabled }} 23 | id: {{ .id }} 24 | realm: {{ .realm }} 25 | sslRequired: {{ .sslRequired }} 26 | {{- end }} 27 | {{- end }} 28 | {{- end }} 29 | -------------------------------------------------------------------------------- /clusters/management-cluster/idp/Archive/Keycloak/Keycloak-User.yaml: -------------------------------------------------------------------------------- 1 | {{ if eq (.Values.keycloak.enabled | toString) "true" }} 2 | {{ range .Values.keycloak.users }} 3 | {{ if eq (.enabled | toString) "true" }} 4 | --- 5 | apiVersion: keycloak.org/v1alpha1 6 | kind: KeycloakUser 7 | metadata: 8 | name: {{ .name }} 9 | namespace: {{ $.Values.keycloak.namespace.name }} 10 | labels: 11 | {{- toYaml .labels | nindent 4 }} 12 | {{- include "tpl.labels" $ | nindent 4 }} 13 | annotations: 14 | argocd.argoproj.io/sync-wave: {{ .syncwave | default "10" | quote }} 15 | argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true 16 | spec: 17 | realmSelector: 18 | matchLabels: 19 | {{- toYaml .labels | nindent 6 }} 20 | user: 21 | credentials: 22 | - type: password 23 | valueFrom: 24 | secretKeyRef: 25 | name: {{ .name }}-secret 26 | key: password 27 | email: {{ .email }} 28 | emailVerified: {{ .emailVerified }} 29 | enabled: {{ .enabled }} 30 | username: {{ .name }} 31 | firstName: {{ .firstName | default "" }} 32 | lastName: {{ .lastName | default "" }} 33 | {{- end }} 34 | {{- end }} 35 | {{- end }} 36 | -------------------------------------------------------------------------------- /clusters/management-cluster/idp/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: cert-manager 3 | description: Setup and configure the cert Manager operator 4 | home: https://github.com/tjungbauer/openshift-clusterconfig-gitops/tree/main/clusters/management-cluster/cert-manager 5 | version: 1.0.0 6 | dependencies: 7 | - name: tpl 8 | version: ~1.0.0 9 | repository: https://charts.stderr.at/ 10 | - name: helper-operator 11 | version: ~1.0.21 12 | repository: https://charts.stderr.at/ 13 | - name: helper-status-checker 14 | version: ~4.0.0 15 | repository: https://charts.stderr.at/ 16 | condition: helper-status-checker.enabled 17 | - name: generic-cluster-config 18 | version: ~1.0.25 19 | repository: https://charts.stderr.at 20 | maintainers: 21 | - name: tjungbauer 22 | email: tjungbau@redhat.com 23 | url: https://blog.stderr.at/ 24 | sources: 25 | - https://github.com/tjungbauer/helm-charts 26 | - https://charts.stderr.at/ 27 | - https://github.com/tjungbauer/openshift-clusterconfig-gitops 28 | keywords: 29 | - compliance 30 | - security 31 | -------------------------------------------------------------------------------- /clusters/management-cluster/idp/LICENSE: -------------------------------------------------------------------------------- 1 | Copyright 2024 Thomas Jungbauer 2 | 3 | Licensed under the Apache License, Version 2.0 (the "License"); 4 | you may not use this file except in compliance with the License. 5 | You may obtain a copy of the License at 6 | 7 | http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | Unless required by applicable law or agreed to in writing, software 10 | distributed under the License is distributed on an "AS IS" BASIS, 11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | See the License for the specific language governing permissions and 13 | limitations under the License. -------------------------------------------------------------------------------- /clusters/management-cluster/idp/config.json: -------------------------------------------------------------------------------- 1 | { 2 | "namespace": "default", 3 | "environment": "in-cluster" 4 | } -------------------------------------------------------------------------------- /clusters/management-cluster/idp/templates/_helpers.tpl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tjungbauer/openshift-clusterconfig-gitops/d47d85acc9324972e253db70a46fa16ee3c17d28/clusters/management-cluster/idp/templates/_helpers.tpl -------------------------------------------------------------------------------- /clusters/management-cluster/idp/templates/create-cluster-admin-binding.yaml: -------------------------------------------------------------------------------- 1 | {{if .Values.cluster_admin_list }} 2 | kind: ClusterRoleBinding 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | name: cluster-admin-crb 6 | subjects: 7 | - kind: Group 8 | apiGroup: rbac.authorization.k8s.io 9 | name: cluster-admin 10 | roleRef: 11 | apiGroup: rbac.authorization.k8s.io 12 | kind: ClusterRole 13 | name: cluster-admin 14 | 15 | {{ end }} 16 | -------------------------------------------------------------------------------- /clusters/management-cluster/idp/templates/create-group-cluster-admin.yaml: -------------------------------------------------------------------------------- 1 | {{if .Values.cluster_admin_list }} 2 | kind: Group 3 | apiVersion: user.openshift.io/v1 4 | metadata: 5 | name: cluster-admin 6 | users: 7 | {{- range .Values.cluster_admin_list }} 8 | - {{ . -}} 9 | {{ end }} 10 | {{ end }} 11 | 12 | -------------------------------------------------------------------------------- /clusters/management-cluster/idp/templates/htpasswd-sealed-secret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: bitnami.com/v1alpha1 3 | kind: SealedSecret 4 | metadata: 5 | creationTimestamp: null 6 | name: htpasswd-secret 7 | namespace: openshift-config 8 | spec: 9 | encryptedData: 10 | htpasswd: AgBmPdbFdCR/+vKSNOwT/2B0okvv+/X2Ab6qxXTGeeZxsLBnsKz8dOgYf/TqeJjeBn95dfBxRpn/GNz4+fBKpHzVM2P/USGJE+B5a3i4/w9l1uEq/llkqnOt04BKqKCHk6ro+y3PaSJfdg9vBVpfN0ZrxvGb7h3qrmEDWHYfT+miZDqoeRQJybuuVVWtdtNjPumgG6dRQjRhg8NC+fHxqP078nRgud1/55IogQMEjl8XJJspJiK6D7Ym9Rm7k1P2iVfrHWubVdHPM+cGUW0mgzhqPFtmRQDXEoEXa93F+Z7Mrq91f2JSCC5L6luTwPpseN+tK3u/vu+f89FAP3QqAhPtGwMJ3q0B036cSgb8d4R0Nfp01rBFBPdHa619UerZR4FuefPJ9y3V2dIAdd3hi8nRkgqviSiWCxjSUFXW1dh4nSkS+wsF8s0eXofK3vP+t8SXGLI2EnErB70CC3Ac5CYmAimbwyTk65UTTBPY6QrIPWgfqgCnJ0cHcwCX71Cww8KOp+J5xMGJWgh7HopQyi8TMOH1MOXs+rnstqTtAFxJY4OITis8uvVrzwz9elv9OZmEvAOalpVRfarKYN/e40fYQ4pZ8wFdZHjVtppxtv6ciZXCDvPPHJZbfu7IlZ+9cuyWTlbSvbXBAp+ctWaYIGSKoYFTsUT5vc9VljT0pad58+jQ2WYAieV8kYzasWXYKU+zNymuXSyhQcRRbrMsCgFxJt44PJvNtzxqTUYtaTl9BEjeERdR/6WDKNQOsm9MvQNh6hN9wer0fwkBG5oLJ0y/tWi2I4Xz1i3IDZsIQSe8RCV0ubq/untJesMBOlsSiTRHxSdxhIh+BLhJnrrVBQIXyEhBZKRItxNwfrfeelydtOktGCTE0NM4N5BNseuRGsiVbzcZHfOlyckPnfGXxwsKnVM4tESL5ypaX7b8jGTOfjFh08aD56n1Tb86ZU775yMMPiiwpIOWSnqhiaF7ex7Z4KwA3llllaDTOYi8b9HkC4ULHH3h5D2wH6dUc95YtGhoBsH3z41bK5FG8CF3oM+PQZGL0zfxUkKmmG7f/r+YjO2mqCXYimFcDGmtxiHIpUg2/p6urvQjbzGYvl6jBOFQGoBWkk3doTYTPgJpc9KxepVvkDr4xynY8etSCcWeXPuAxfx68EKaf5gLybAh9SbJSpEmHGKFS8NBWjNwtore06Twi66XWGRfvi9qrA3ei+QTVqqJCHp7ediVyzDkFZBIFQ== 11 | template: 12 | metadata: 13 | creationTimestamp: null 14 | name: htpasswd-secret 15 | namespace: openshift-config 16 | -------------------------------------------------------------------------------- /clusters/management-cluster/idp/values.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | cluster_admin_list: 3 | - emergency 4 | 5 | # @ignore 6 | generic-cluster-config: 7 | ###################### 8 | # IDENTITY PROVIDERS # 9 | ###################### 10 | idp: 11 | enabled: true 12 | # Define provider. Currently htpasswd and LDAP are supported 13 | providers: 14 | enabled: true 15 | htpasswd: 16 | - name: Emergency 17 | enabled: true 18 | secretname: htpasswd-secret 19 | -------------------------------------------------------------------------------- /clusters/management-cluster/ingresscontroller/config.json: -------------------------------------------------------------------------------- 1 | { 2 | "namespace": "default", 3 | "environment": "in-cluster" 4 | } -------------------------------------------------------------------------------- /clusters/management-cluster/ingresscontroller/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | helmCharts: 4 | - name: ingresscontroller 5 | repo: https://charts.stderr.at 6 | valuesFile: values.yaml 7 | - name: cert-manager 8 | repo: https://charts.stderr.at 9 | valuesFile: values.yaml 10 | -------------------------------------------------------------------------------- /clusters/management-cluster/ingresscontroller/values.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # -- Define ingressControllers 3 | # Multiple might be defined. 4 | ingresscontrollers: 5 | # -- Name of the IngressController. OpenShift initial IngressController is called 'default'. 6 | - name: default 7 | 8 | # -- Enable the configuration 9 | # @default -- false 10 | enabled: true 11 | 12 | # -- Number of replicas for this IngressController 13 | # @default -- 2 14 | replicas: 3 15 | 16 | # -- The name of the secret that stores the certificate information for the IngressController 17 | # @default -- N/A 18 | defaultCertificate: router-certificate 19 | 20 | # -- Additional annotations for the IngressController 21 | # For example to enable HTTP/2 add the following: 22 | # ingress.operator.openshift.io/default-enable-http2: true 23 | # @default -- N/A 24 | annotations: 25 | ingress.operator.openshift.io/default-enable-http2: true 26 | 27 | # -- Bind IngressController to specific nodes 28 | # Here as example for Infrastructure nodes. 29 | # @default -- empty 30 | #nodePlacement: 31 | 32 | # NodeSelector that shall be used. 33 | # nodeSelector: 34 | # key: node-role.kubernetes.io/infra 35 | # value: '' 36 | 37 | # # -- Tolerations, required if the nodes are tainted. 38 | # tolerations: 39 | # - effect: NoSchedule 40 | # key: node-role.kubernetes.io/infra 41 | # operator: Equal 42 | # value: reserved 43 | # - effect: NoExecute 44 | # key: node-role.kubernetes.io/infra 45 | # operator: Equal 46 | # value: reserved 47 | 48 | certificates: 49 | enabled: true 50 | 51 | # List of certificates 52 | certificate: 53 | - name: router-certificate 54 | enabled: true 55 | namespace: openshift-ingress 56 | syncwave: "0" 57 | secretName: router-certificate 58 | 59 | dnsNames: 60 | - apps.ocp.aws.ispworld.at 61 | - '*.apps.ocp.aws.ispworld.at' 62 | 63 | # Reference to the issuer that shall be used. 64 | issuerRef: 65 | name: letsencrypt-prod 66 | kind: ClusterIssuer -------------------------------------------------------------------------------- /clusters/management-cluster/install-cyclonedx/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: install-cyclonedx 3 | description: Install Cyclonedx to store SBOMs 4 | version: 1.0.0 5 | dependencies: 6 | - name: tpl 7 | version: ~1.0.0 8 | repository: https://charts.stderr.at/ 9 | - name: cyclonedx 10 | version: ~1.0.0 11 | repository: https://charts.stderr.at/ 12 | maintainers: 13 | - name: tjungbauer 14 | email: tjungbau@redhat.com 15 | url: https://blog.stderr.at/ 16 | sources: 17 | - https://github.com/tjungbauer/helm-charts 18 | - https://charts.stderr.at/ 19 | - https://github.com/tjungbauer/openshift-clusterconfig-gitops 20 | keywords: 21 | - secure-supply-chain 22 | - security 23 | -------------------------------------------------------------------------------- /clusters/management-cluster/install-cyclonedx/LICENSE: -------------------------------------------------------------------------------- 1 | Copyright 2022 Thomas Jungbauer 2 | 3 | Licensed under the Apache License, Version 2.0 (the "License"); 4 | you may not use this file except in compliance with the License. 5 | You may obtain a copy of the License at 6 | 7 | http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | Unless required by applicable law or agreed to in writing, software 10 | distributed under the License is distributed on an "AS IS" BASIS, 11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | See the License for the specific language governing permissions and 13 | limitations under the License. -------------------------------------------------------------------------------- /clusters/management-cluster/install-cyclonedx/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | # install-cyclonedx 4 | 5 | [![License](https://img.shields.io/badge/License-Apache_2.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) 6 | [![Linting](https://github.com/tjungbauer/openshift-clusterconfig-gitops/actions/workflows/linting.yml/badge.svg)](https://github.com/tjungbauer/openshift-clusterconfig-gitops/actions/workflows/linting.yml) 7 | [![Release Charts](https://github.com/tjungbauer/helm-charts/actions/workflows/release.yml/badge.svg)](https://github.com/tjungbauer/helm-charts/actions/workflows/release.yml) 8 | 9 | ![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) 10 | 11 | 12 | 13 | ## Description 14 | 15 | Install Cyclonedx to store SBOMs 16 | 17 | CycloneDX provides advanced, supply chain capabilities for cyber risk reduction. We are using the Software Bill of Material (SBOM) parts. 18 | SBOM is a complete and accurate inventory of all first-party and third-party components is essential for risk identification. 19 | 20 | This chart will install CycloneDX BOM Repo server, which enables you to store SBOM inventories on your cluster. 21 | It uses the Chart [cyclonedx](https://github.com/tjungbauer/helm-charts/tree/main/charts/cyclonedx). 22 | 23 | For detailed information check: [CycloneDX SBOM](https://cyclonedx.org/capabilities/sbom/) 24 | 25 | For an example of how to use it during a pipeline run check: [Generating an SBOM](https://blog.stderr.at/securesupplychain/2023-06-22-securesupplychain-step7/) 26 | 27 | ## Dependencies 28 | 29 | This chart has the following dependencies: 30 | 31 | | Repository | Name | Version | 32 | |------------|------|---------| 33 | | https://charts.stderr.at/ | cyclonedx | ~1.0.0 | 34 | 35 | ## Maintainers 36 | 37 | | Name | Email | Url | 38 | | ---- | ------ | --- | 39 | | tjungbauer | | | 40 | 41 | ## Sources 42 | Source: 43 | * 44 | * 45 | * 46 | 47 | Source code: 48 | 49 | ## Parameters 50 | 51 | ## Values 52 | 53 | | Key | Type | Default | Description | 54 | |-----|------|---------|-------------| 55 | | namespace.create | bool | false | Create Namespace yes or not | 56 | | namespace.name | string | `"cyclonedx"` | Name of the Namespace | 57 | 58 | ## Example values 59 | 60 | ```yaml 61 | --- 62 | namespace: 63 | create: true 64 | name: cyclonedx 65 | ``` 66 | 67 | ---------------------------------------------- 68 | Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0) 69 | -------------------------------------------------------------------------------- /clusters/management-cluster/install-cyclonedx/README.md.gotmpl: -------------------------------------------------------------------------------- 1 | {{ template "doc.header" . }} 2 | 3 | 4 | 5 | CycloneDX provides advanced, supply chain capabilities for cyber risk reduction. We are using the Software Bill of Material (SBOM) parts. 6 | SBOM is a complete and accurate inventory of all first-party and third-party components is essential for risk identification. 7 | 8 | This chart will install CycloneDX BOM Repo server, which enables you to store SBOM inventories on your cluster. 9 | It uses the Chart [cyclonedx](https://github.com/tjungbauer/helm-charts/tree/main/charts/cyclonedx). 10 | 11 | For detailed information check: [CycloneDX SBOM](https://cyclonedx.org/capabilities/sbom/) 12 | 13 | For an example of how to use it during a pipeline run check: [Generating an SBOM](https://blog.stderr.at/securesupplychain/2023-06-22-securesupplychain-step7/) 14 | 15 | {{ template "doc.deps" . }} 16 | 17 | {{ template "doc.maintainer_and_sources" . }} 18 | 19 | ## Parameters 20 | 21 | {{ template "doc.values" . }} 22 | 23 | ## Example values 24 | 25 | ```yaml 26 | --- 27 | namespace: 28 | create: true 29 | name: cyclonedx 30 | ``` 31 | 32 | {{ template "doc.footer" . }} 33 | -------------------------------------------------------------------------------- /clusters/management-cluster/install-cyclonedx/config.json: -------------------------------------------------------------------------------- 1 | { 2 | "namespace": "default", 3 | "environment": "in-cluster" 4 | } -------------------------------------------------------------------------------- /clusters/management-cluster/install-cyclonedx/templates/_helpers.tpl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tjungbauer/openshift-clusterconfig-gitops/d47d85acc9324972e253db70a46fa16ee3c17d28/clusters/management-cluster/install-cyclonedx/templates/_helpers.tpl -------------------------------------------------------------------------------- /clusters/management-cluster/install-cyclonedx/values.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | -------------------------------------------------------------------------------- /clusters/management-cluster/internal-registry/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: internal-registry 3 | description: Configures the internal OpenShift registry 4 | version: 1.0.0 5 | dependencies: 6 | - name: tpl 7 | version: ~1.0.0 8 | repository: https://charts.stderr.at/ 9 | - name: helper-objectstore 10 | version: ~1.0.0 11 | repository: https://charts.stderr.at/ 12 | condition: helper-objectstore.enabled 13 | maintainers: 14 | - name: tjungbauer 15 | -------------------------------------------------------------------------------- /clusters/management-cluster/internal-registry/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | # TODO -------------------------------------------------------------------------------- /clusters/management-cluster/internal-registry/config.json: -------------------------------------------------------------------------------- 1 | { 2 | "namespace": "openshift-image-registry", 3 | "environment": "in-cluster" 4 | } -------------------------------------------------------------------------------- /clusters/management-cluster/internal-registry/templates/_helpers.tpl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tjungbauer/openshift-clusterconfig-gitops/d47d85acc9324972e253db70a46fa16ee3c17d28/clusters/management-cluster/internal-registry/templates/_helpers.tpl -------------------------------------------------------------------------------- /clusters/management-cluster/internal-registry/templates/clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- with .Values }} 2 | {{ if eq ( .enabled | toString) "true" }} 3 | --- 4 | apiVersion: rbac.authorization.k8s.io/v1 5 | kind: ClusterRole 6 | metadata: 7 | annotations: 8 | argocd.argoproj.io/hook: Sync 9 | argocd.argoproj.io/hook-delete-policy: HookSucceeded 10 | argocd.argoproj.io/sync-wave: {{ .syncwave | default 3 | quote }} 11 | name: patch-image-registry-crb-{{ .namespace }}-clusterrole 12 | namespace: {{ .namespace | quote }} 13 | labels: 14 | {{- include "tpl.labels" $ | nindent 4 }} 15 | rules: 16 | - apiGroups: 17 | - imageregistry.operator.openshift.io 18 | resources: 19 | - configs 20 | verbs: 21 | - get 22 | - list 23 | - patch 24 | {{- end }} 25 | {{- end }} 26 | -------------------------------------------------------------------------------- /clusters/management-cluster/internal-registry/templates/create-bucket-secret-crb.yaml: -------------------------------------------------------------------------------- 1 | {{- if eq ( .Values.enabled | toString) "true" }} 2 | {{- with .Values }} 3 | --- 4 | apiVersion: rbac.authorization.k8s.io/v1 5 | kind: ClusterRoleBinding 6 | metadata: 7 | name: create-bucket-secret-crb-{{ .namespace }} 8 | annotations: 9 | argocd.argoproj.io/hook: Sync 10 | argocd.argoproj.io/hook-delete-policy: HookSucceeded 11 | argocd.argoproj.io/sync-wave: {{ .syncwave | default 3 | quote }} 12 | labels: 13 | {{- include "tpl.labels" $ | nindent 4 }} 14 | roleRef: 15 | apiGroup: rbac.authorization.k8s.io 16 | kind: ClusterRole 17 | name: admin 18 | subjects: 19 | - kind: ServiceAccount 20 | name: create-bucket-secret-sa 21 | namespace: {{ .namespace }} 22 | - kind: ServiceAccount 23 | name: create-bucket-secret-sa 24 | namespace: openshift-config 25 | {{- end }} 26 | {{- end }} 27 | -------------------------------------------------------------------------------- /clusters/management-cluster/internal-registry/templates/create-bucket-secret-sa.yaml: -------------------------------------------------------------------------------- 1 | {{- if eq ( .Values.enabled | toString) "true" }} 2 | {{- with .Values }} 3 | --- 4 | apiVersion: v1 5 | kind: ServiceAccount 6 | metadata: 7 | name: create-bucket-secret-sa 8 | namespace: {{ .namespace }} 9 | annotations: 10 | argocd.argoproj.io/hook: Sync 11 | argocd.argoproj.io/hook-delete-policy: HookSucceeded 12 | argocd.argoproj.io/sync-wave: {{ .syncwave | default 3 | quote }} 13 | labels: 14 | {{- include "tpl.labels" $ | nindent 4 }} 15 | --- 16 | apiVersion: v1 17 | kind: ServiceAccount 18 | metadata: 19 | name: create-bucket-secret-sa 20 | namespace: openshift-config 21 | annotations: 22 | argocd.argoproj.io/hook: Sync 23 | argocd.argoproj.io/hook-delete-policy: HookSucceeded 24 | argocd.argoproj.io/sync-wave: {{ .syncwave | default 3 | quote }} 25 | labels: 26 | {{- include "tpl.labels" $ | nindent 4 }} 27 | {{- end }} 28 | {{- end }} 29 | -------------------------------------------------------------------------------- /clusters/management-cluster/internal-registry/templates/create-bucket-secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if eq ( .Values.enabled | toString) "true" }} 2 | {{- with .Values }} 3 | --- 4 | apiVersion: batch/v1 5 | kind: Job 6 | metadata: 7 | name: create-bucket-bucket-secret 8 | namespace: {{ .namespace }} 9 | annotations: 10 | argocd.argoproj.io/hook: Sync 11 | argocd.argoproj.io/hook-delete-policy: HookSucceeded 12 | argocd.argoproj.io/sync-wave: {{ .syncwave | default "3" | quote }} 13 | labels: 14 | {{- include "tpl.labels" $ | nindent 4 }} 15 | spec: 16 | template: 17 | metadata: 18 | name: create-bucket-secret 19 | spec: 20 | containers: 21 | - name: create-bucket-secret 22 | image: registry.redhat.io/openshift4/ose-cli:latest 23 | command: 24 | - /bin/bash 25 | - -c 26 | - | 27 | #!/usr/bin/env bash 28 | 29 | # Sleeping before starting with the work, to be sure the bucket has been created. 30 | SLEEPER_TMP=0 31 | 32 | printf "Waiting 20 seconds before I start with the generation of the configuration\n" 33 | 34 | while [[ $SLEEPER_TMP -le "20" ]]; do 35 | echo -n "." 36 | sleep 1 37 | SLEEPER_TMP=$(($SLEEPER_TMP+1)) 38 | done 39 | 40 | printf "\nTrying to create the required Loki secret file\n" 41 | 42 | bucket_user=`cat /tmp/bucket-secret/AWS_ACCESS_KEY_ID` 43 | 44 | bucket_secret=`cat /tmp/bucket-secret/AWS_SECRET_ACCESS_KEY` 45 | 46 | bucket_name=`cat /tmp/logging-bucket/BUCKET_NAME` 47 | 48 | bucket_host=`cat /tmp/logging-bucket/BUCKET_HOST` 49 | 50 | bucket_region=`cat /tmp/logging-bucket/BUCKET_REGION` 51 | 52 | oc create secret generic image-registry-private-configuration-user \ 53 | --from-literal REGISTRY_STORAGE_S3_ACCESSKEY=${bucket_user} \ 54 | --from-literal REGISTRY_STORAGE_S3_SECRETKEY=${bucket_secret} 55 | 56 | cd /tmp 57 | 58 | openssl s_client -connect s3.openshift-storage.svc:443 < /dev/null 2>/dev/null | awk '/BEGIN CERTIFICATE/,/END CERTIFICATE/ { print $0 }' > /tmp/tls.crt 59 | 60 | oc create configmap image-registry-s3-bundle --from-file=ca-bundle.crt=/tmp/tls.crt -n openshift-config 61 | 62 | oc patch config.image/cluster -p '{"spec":{"managementState":"Managed","replicas":2,"storage":{"managementState":"Unmanaged","s3":{"bucket":'\"${bucket_name}\"',"region":"us-east-1","regionEndpoint":'\"https://${bucket_host}\"',"virtualHostedStyle":false,"encrypt":false,"trustedCA":{"name":"image-registry-s3-bundle"}}}}}' --type=merge 63 | 64 | printf "\nSecret image-registry-private-configuration-user has been created\n" 65 | volumeMounts: 66 | - name: bucket-secret 67 | mountPath: "/tmp/bucket-secret" 68 | readOnly: true 69 | - name: logging-bucket 70 | mountPath: /tmp/logging-bucket 71 | volumes: 72 | - name: bucket-secret 73 | secret: 74 | secretName: {{ .bucket.name }} 75 | - name: logging-bucket 76 | configMap: 77 | name: {{ .bucket.name }} 78 | restartPolicy: Never 79 | serviceAccountName: create-bucket-secret-sa 80 | {{- end }} 81 | {{- end }} 82 | -------------------------------------------------------------------------------- /clusters/management-cluster/internal-registry/templates/imageRegistry.yaml: -------------------------------------------------------------------------------- 1 | {{- if eq ( .Values.enabled | toString) "true" }} 2 | {{- with .Values }} 3 | --- 4 | apiVersion: imageregistry.operator.openshift.io/v1 5 | kind: Config 6 | metadata: 7 | name: cluster 8 | annotations: 9 | annotations: 10 | argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true 11 | argocd.argoproj.io/sync-wave: {{ .syncwave | default "10" | quote }} 12 | labels: 13 | {{- include "tpl.labels" $ | nindent 4 }} 14 | spec: 15 | managementState: Managed 16 | replicas: {{ .replicas | default "2" }} 17 | 18 | {{- if .nodeSelector }} 19 | nodeSelector: 20 | {{ .nodeSelector.key }}: {{ .nodeSelector.value | quote }} 21 | {{- end }} 22 | 23 | {{- /* Define required tolerations */}} 24 | {{- if .tolerations }} 25 | {{ include "tpl.tolerations" .tolerations | indent 2 }} 26 | {{- end }} 27 | {{- end }} 28 | {{- end }} 29 | -------------------------------------------------------------------------------- /clusters/management-cluster/internal-registry/templates/patch-image-registry.yaml: -------------------------------------------------------------------------------- 1 | {{- if eq ( .Values.enabled | toString) "true" }} 2 | {{- with .Values }} 3 | --- 4 | apiVersion: rbac.authorization.k8s.io/v1 5 | kind: ClusterRoleBinding 6 | metadata: 7 | name: patch-image-registry-crb-{{ .namespace }} 8 | annotations: 9 | argocd.argoproj.io/hook: Sync 10 | argocd.argoproj.io/hook-delete-policy: HookSucceeded 11 | argocd.argoproj.io/sync-wave: {{ .syncwave | default 3 | quote }} 12 | labels: 13 | {{- include "tpl.labels" $ | nindent 4 }} 14 | roleRef: 15 | apiGroup: rbac.authorization.k8s.io 16 | kind: ClusterRole 17 | name: patch-image-registry-crb-{{ .namespace }}-clusterrole 18 | subjects: 19 | - kind: ServiceAccount 20 | name: create-bucket-secret-sa 21 | namespace: {{ .namespace }} 22 | {{- end }} 23 | {{- end }} 24 | -------------------------------------------------------------------------------- /clusters/management-cluster/internal-registry/values.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | storageclassname: &storageclassname internal-registry-bucket-storage-class 3 | bucketname: &bucketname internal-registry-bucket 4 | regnamespace: ®namespace openshift-image-registry 5 | 6 | enabled: true 7 | namespace: *regnamespace 8 | bucket: 9 | name: *bucketname 10 | 11 | # Replicas for internal registry 12 | # Default: 2 13 | # replicas: 2 14 | 15 | # Bind internal registry to specific nodes 16 | nodeSelector: 17 | key: node-role.kubernetes.io/infra 18 | value: '' 19 | tolerations: 20 | - effect: NoSchedule 21 | key: node-role.kubernetes.io/infra 22 | operator: Equal 23 | value: reserved 24 | - effect: NoExecute 25 | key: node-role.kubernetes.io/infra 26 | operator: Equal 27 | value: reserved 28 | 29 | # A helper chart that simply creates another backingstore for quay. 30 | # This is a chart in a very early state, and not everything can be customized for now. 31 | # It will create the objects: 32 | # - BackingStore 33 | # - BackingClass 34 | # - StorageClass 35 | 36 | # NOTE: Currently only PV type is supported 37 | helper-objectstore: 38 | enabled: true 39 | # syncwave: 1 40 | 41 | # Name of the BackingStore 42 | backingstore_name: internal-registry-backingstore 43 | # Size of the BackingStore 44 | backingstore_size: 100Gi 45 | # numOfVolumes: 1 46 | # type: py-pool 47 | 48 | # The StorageClass the BackingStore is based on 49 | baseStorageClass: gp3-csi 50 | 51 | # Name of the StorageClass that shall be enabled. 52 | storageclass_name: *storageclassname 53 | 54 | # Bucket that shall be created 55 | bucket: 56 | enabled: true 57 | name: *bucketname 58 | namespace: *regnamespace 59 | 60 | # is_secure: true 61 | # port: 443 62 | 63 | # Name of the storageclass 64 | # Default: openshift-storage.noobaa.io 65 | # a separate StorageClass with BackingStore and BackingClass can be created. 66 | storageclass: *storageclassname 67 | 68 | # Syncwave for bucketclaim creation. This should be done very early, but it depends on ODF. 69 | # Default: 2 70 | syncwave: 2 71 | -------------------------------------------------------------------------------- /clusters/management-cluster/node-configuration/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: node-labels 3 | description: Manage the labelling of the nodes using openshift-gitops 1.6+ and Server Side Apply 4 | version: 1.0.0 5 | maintainers: 6 | - name: tjungbauer 7 | -------------------------------------------------------------------------------- /clusters/management-cluster/node-configuration/LICENSE: -------------------------------------------------------------------------------- 1 | Copyright 2022 Thomas Jungbauer 2 | 3 | Licensed under the Apache License, Version 2.0 (the "License"); 4 | you may not use this file except in compliance with the License. 5 | You may obtain a copy of the License at 6 | 7 | http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | Unless required by applicable law or agreed to in writing, software 10 | distributed under the License is distributed on an "AS IS" BASIS, 11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | See the License for the specific language governing permissions and 13 | limitations under the License. -------------------------------------------------------------------------------- /clusters/management-cluster/node-configuration/README.md: -------------------------------------------------------------------------------- 1 | 2 | ![License](https://img.shields.io/badge/License-Apache_2.0-blue.svg) 3 | 4 | # TODO -------------------------------------------------------------------------------- /clusters/management-cluster/node-configuration/config.json: -------------------------------------------------------------------------------- 1 | { 2 | "namespace": "default", 3 | "environment": "in-cluster" 4 | } -------------------------------------------------------------------------------- /clusters/management-cluster/node-configuration/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* 2 | Expand the name of the chart. 3 | */}} 4 | {{- define "common.name" -}} 5 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} 6 | {{- end }} 7 | 8 | {{/* 9 | Create a default fully qualified app name. 10 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 11 | If release name contains chart name it will be used as a full name. 12 | */}} 13 | {{- define "common.fullname" -}} 14 | {{- if .Values.fullnameOverride }} 15 | {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} 16 | {{- else }} 17 | {{- $name := default .Chart.Name .Values.nameOverride }} 18 | {{- if contains $name .Release.Name }} 19 | {{- .Release.Name | trunc 63 | trimSuffix "-" }} 20 | {{- else }} 21 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} 22 | {{- end }} 23 | {{- end }} 24 | {{- end }} 25 | 26 | {{/* 27 | Create chart name and version as used by the chart label. 28 | */}} 29 | {{- define "common.chart" -}} 30 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} 31 | {{- end }} 32 | 33 | {{/* 34 | Common labels 35 | */}} 36 | {{- define "common.labels" -}} 37 | helm.sh/chart: {{ include "common.chart" . }} 38 | {{ include "common.selectorLabels" . }} 39 | {{- if .Chart.AppVersion }} 40 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 41 | {{- end }} 42 | app.kubernetes.io/managed-by: {{ .Release.Service }} 43 | {{- end }} 44 | 45 | {{/* 46 | Selector labels 47 | */}} 48 | {{- define "common.selectorLabels" -}} 49 | app.kubernetes.io/name: {{ include "common.name" . }} 50 | app.kubernetes.io/instance: {{ .Release.Name }} 51 | {{- end }} -------------------------------------------------------------------------------- /clusters/management-cluster/node-configuration/templates/node.yaml: -------------------------------------------------------------------------------- 1 | {{- range $key, $value := .Values.nodes }} 2 | {{ if eq ( $value.enabled | toString) "true" }} 3 | --- 4 | kind: Node 5 | apiVersion: v1 6 | metadata: 7 | name: {{ $value.name | quote }} 8 | labels: 9 | {{- if eq ($value.ignore_argocd_labels | toString) "true" }} 10 | {{- else }} 11 | gitops.ownedBy: openshift-gitops 12 | {{- include "common.labels" $ | nindent 4 }} 13 | {{- end }} 14 | {{- if $value.labels }} 15 | {{- range $key_labels, $value_labels := $value.labels }} 16 | {{ $key_labels }}: {{ $value_labels }} 17 | {{- end }} 18 | {{- end }} 19 | {{- range $key_custom_label, $value_custom_label := $value.custom_labels }} 20 | {{ $key_custom_label }}: {{ $value_custom_label | quote }} 21 | {{- end }} 22 | {{- if $value.roles }} 23 | {{- range $key_roles, $value_roles := $value.roles }} 24 | node-role.kubernetes.io/{{ $key_roles }}: '' 25 | {{- end }} 26 | {{- end }} 27 | finalizers: 28 | - kubernetes 29 | {{- if $value.spec }} 30 | spec: 31 | {{- if $value.spec.taints }} 32 | taints: 33 | {{- range $taintkey, $taintvalue := $value.spec.taints }} 34 | - effect: {{ $taintvalue.effect }} 35 | key: {{ $taintvalue.key }} 36 | value: {{ $taintvalue.value }} 37 | {{- if $taintvalue.operator }} 38 | operator: {{ $taintvalue.operator }} 39 | {{- end }} 40 | {{- end }} 41 | {{- end }} 42 | {{- end }} 43 | {{- end }} 44 | {{- end }} -------------------------------------------------------------------------------- /clusters/management-cluster/node-configuration/values.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | nodes: 3 | - name: node1 4 | enabled: true 5 | ignore_argocd_labels: true 6 | 7 | custom_labels: 8 | environment: 'Management' 9 | 10 | roles: 11 | infra: true 12 | worker: true 13 | 14 | spec: 15 | taints: 16 | - effect: NoSchedule 17 | key: infra 18 | value: reserved 19 | -------------------------------------------------------------------------------- /clusters/management-cluster/setup-acm/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: setup-acm 3 | description: Deploys Advanced Cluster Managment (ACM) on target cluster. 4 | version: 1.0.1 5 | dependencies: 6 | - name: tpl 7 | version: ~1.0.0 8 | repository: https://charts.stderr.at/ 9 | - name: rhacm-setup 10 | version: ~1.0.0 11 | repository: https://charts.stderr.at/ 12 | - name: helper-operator 13 | version: "1.0.28" 14 | repository: https://charts.stderr.at/ 15 | - name: helper-status-checker 16 | version: ~4.0.11 17 | repository: https://charts.stderr.at/ 18 | condition: helper-status-checker.enabled 19 | maintainers: 20 | - name: tjungbauer 21 | email: tjungbau@redhat.com 22 | keywords: 23 | - acs 24 | - security 25 | -------------------------------------------------------------------------------- /clusters/management-cluster/setup-acm/LICENSE: -------------------------------------------------------------------------------- 1 | Copyright 2022 Thomas Jungbauer 2 | 3 | Licensed under the Apache License, Version 2.0 (the "License"); 4 | you may not use this file except in compliance with the License. 5 | You may obtain a copy of the License at 6 | 7 | http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | Unless required by applicable law or agreed to in writing, software 10 | distributed under the License is distributed on an "AS IS" BASIS, 11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | See the License for the specific language governing permissions and 13 | limitations under the License. -------------------------------------------------------------------------------- /clusters/management-cluster/setup-acm/README.md: -------------------------------------------------------------------------------- 1 | 2 | ![License](https://img.shields.io/badge/License-Apache_2.0-blue.svg) 3 | 4 | # Overview 5 | 6 | This "wrapper" Helm Chart is used to deploy Advanced Cluster Management (ACM) using a GitOps approach. 7 | It calls the Chart [rhacm-setup](https://artifacthub.io/packages/helm/openshift-bootstraps/rhacm-setup) which mainly takes care to 8 | 9 | - Deploy the Operator and verify if the Operator installation was successful 10 | - Deploy ACM 11 | 12 | The values.yaml provides an example of possible settings. 13 | -------------------------------------------------------------------------------- /clusters/management-cluster/setup-acm/config.json: -------------------------------------------------------------------------------- 1 | { 2 | "namespace": "open-cluster-management", 3 | "environment": "in-cluster" 4 | } -------------------------------------------------------------------------------- /clusters/management-cluster/setup-acm/templates/_helpers.tpl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tjungbauer/openshift-clusterconfig-gitops/d47d85acc9324972e253db70a46fa16ee3c17d28/clusters/management-cluster/setup-acm/templates/_helpers.tpl -------------------------------------------------------------------------------- /clusters/management-cluster/setup-acm/templates/acm-configuration/GitOpsCluster.yaml: -------------------------------------------------------------------------------- 1 | {{ if eq (.Values.gitops.enabled | toString) "true" }} 2 | {{- range .Values.gitops.integration }} 3 | --- 4 | apiVersion: apps.open-cluster-management.io/v1beta1 5 | kind: GitOpsCluster 6 | metadata: 7 | name: gitops-cluster 8 | namespace: {{ .namespace }} 9 | labels: 10 | {{- include "tpl.labels" $ | nindent 4 }} 11 | annotations: 12 | argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true 13 | argocd.argoproj.io/sync-wave: {{ .syncwave | default "10" | quote }} 14 | spec: 15 | argoServer: 16 | argoNamespace: {{ .namespace }} 17 | cluster: {{ .gitopsCluster | default "local-cluster" }} 18 | placementRef: 19 | apiVersion: cluster.open-cluster-management.io/v1alpha1 20 | kind: Placement 21 | name: gitops-clusters 22 | {{- end }} 23 | {{- end }} 24 | -------------------------------------------------------------------------------- /clusters/management-cluster/setup-acm/templates/acm-configuration/ManagedCluster.yaml: -------------------------------------------------------------------------------- 1 | {{- if eq (.Values.rhacm.importClusters.enabled | toString) "true" }} 2 | {{- range .Values.rhacm.importClusters.clusters }} 3 | --- 4 | apiVersion: cluster.open-cluster-management.io/v1 5 | kind: ManagedCluster 6 | metadata: 7 | name: {{ .name }} 8 | labels: 9 | name: {{ .name }} 10 | cluster.open-cluster-management.io/clusterset: {{ .clusterSet }} 11 | {{- include "tpl.labels" $ | nindent 4 }} 12 | annotations: 13 | argocd.argoproj.io/sync-wave: 3 14 | argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true 15 | spec: 16 | hubAcceptsClient: true 17 | --- 18 | apiVersion: agent.open-cluster-management.io/v1 19 | kind: KlusterletAddonConfig 20 | metadata: 21 | name: {{ .name }} 22 | namespace: {{ .name }} 23 | labels: 24 | {{- include "rhacm.labels" $ | nindent 4 }} 25 | annotations: 26 | argocd.argoproj.io/sync-wave: 5 27 | argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true 28 | spec: 29 | clusterName: {{ .name }} 30 | clusterNamespace: {{ .name }} 31 | clusterLabels: 32 | name: {{ .name }} 33 | cloud: auto-detect 34 | vendor: auto-detect 35 | cluster.open-cluster-management.io/clusterset: {{ .clusterSet }} 36 | applicationManager: 37 | enabled: true 38 | policyController: 39 | enabled: true 40 | searchCollector: 41 | enabled: true 42 | certPolicyController: 43 | enabled: true 44 | iamPolicyController: 45 | enabled: true 46 | {{- end }} 47 | {{- end }} -------------------------------------------------------------------------------- /clusters/management-cluster/setup-acm/templates/acm-configuration/ManagedClusterSetBinding.yaml: -------------------------------------------------------------------------------- 1 | {{ if eq (.Values.gitops.enabled | toString) "true" }} 2 | {{- range .Values.gitops.integration }} 3 | --- 4 | apiVersion: cluster.open-cluster-management.io/v1beta2 5 | kind: ManagedClusterSetBinding 6 | metadata: 7 | name: {{ .clusterSet }} 8 | namespace: {{ .namespace }} 9 | labels: 10 | {{- include "tpl.labels" $ | nindent 4 }} 11 | annotations: 12 | argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true 13 | argocd.argoproj.io/sync-wave: {{ .syncwave | default "10" | quote }} 14 | spec: 15 | clusterSet: {{ .clusterSet }} 16 | {{- end }} 17 | {{- end }} 18 | -------------------------------------------------------------------------------- /clusters/management-cluster/setup-acm/templates/acm-configuration/Placement.yaml: -------------------------------------------------------------------------------- 1 | {{ if eq (.Values.gitops.enabled | toString) "true" }} 2 | {{- range .Values.gitops.integration }} 3 | --- 4 | apiVersion: cluster.open-cluster-management.io/v1beta1 5 | kind: Placement 6 | metadata: 7 | name: gitops-clusters 8 | namespace: {{ .namespace }} 9 | labels: 10 | {{- include "tpl.labels" $ | nindent 4 }} 11 | annotations: 12 | argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true 13 | argocd.argoproj.io/sync-wave: {{ .syncwave | default "10" | quote }} 14 | spec: 15 | clusterSets: 16 | - {{ .clusterSet }} 17 | {{- end }} 18 | {{- end }} 19 | -------------------------------------------------------------------------------- /clusters/management-cluster/setup-acm/values.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | override-rhacm-operator-version: &rhacmversion release-2.13 3 | 4 | # local settings 5 | # This will enable the GitOps integration with ACM 6 | gitops: 7 | enabled: false 8 | 9 | integration: 10 | - namespace: openshift-gitops 11 | syncwave: 10 12 | clusterSet: default 13 | gitopsCluster: local-cluster 14 | 15 | # Two objects will be created: KlusterletAddonConfig and ManagedCluster 16 | # This will prepare the import to ACM. You still need to execute the command to fully integrate it. 17 | rhacm: 18 | importClusters: 19 | enabled: false 20 | 21 | # syncwaves 22 | # Default: 3 23 | managed_cluster_syncwave: '3' 24 | # Default: 5 25 | klusterlet_addon_syncwave: '5' 26 | 27 | # List of clusters 28 | clusters: 29 | - name: my-cluster 30 | clusterSet: default 31 | 32 | # Install Operator RHACM 33 | # Deploys Operator --> Subscription and Operatorgroup 34 | # Syncwave: 0 35 | helper-operator: 36 | operators: 37 | advanced-cluster-management: 38 | enabled: true 39 | syncwave: '0' 40 | namespace: 41 | name: open-cluster-management 42 | create: true 43 | subscription: 44 | channel: *rhacmversion 45 | approval: Manual 46 | operatorName: advanced-cluster-management 47 | source: redhat-operators 48 | sourceNamespace: openshift-marketplace 49 | operatorgroup: 50 | create: true 51 | notownnamespace: false 52 | 53 | helper-status-checker: 54 | enabled: true 55 | approver: true 56 | 57 | checks: 58 | - operatorName: advanced-cluster-management 59 | sleeptimer: 60 60 | namespace: 61 | name: open-cluster-management 62 | serviceAccount: 63 | name: "status-checker-acm" 64 | 65 | rhacm-setup: 66 | rhacm: 67 | # Namespace 68 | # Should be installed in open-cluster-management (default) 69 | namespace: 70 | name: open-cluster-management 71 | multiclusterhub: 72 | enabled: true 73 | syncwave: '3' 74 | 75 | # Specifies deployment replication for improved availability. Options are: Basic and High 76 | # Default: Basic 77 | availabilityConfig: High 78 | 79 | # If you want this component to only run on specific nodes, you can 80 | # configure tolerations of tainted nodes. 81 | # tolerations: 82 | # - effect: NoSchedule 83 | # key: infra 84 | # operator: Equal 85 | # value: reserved 86 | -------------------------------------------------------------------------------- /clusters/management-cluster/setup-acs-backup/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: setup-acs-backup 3 | description: Deploys Backup for Advanced Cluster Security (ACS) on target cluster. 4 | home: https://github.com/tjungbauer/openshift-clusterconfig-gitops/tree/main/clusters/management-cluster/setup-acs-backup 5 | version: 1.0.0 6 | dependencies: 7 | - name: tpl 8 | version: ~1.0.0 9 | repository: https://charts.stderr.at/ 10 | - name: rhacs-backup 11 | version: ~1.0.0 12 | repository: https://charts.stderr.at/ 13 | maintainers: 14 | - name: tjungbauer 15 | email: tjungbau@redhat.com 16 | url: https://blog.stderr.at/ 17 | sources: 18 | - https://github.com/tjungbauer/helm-charts 19 | - https://charts.stderr.at/ 20 | - https://github.com/tjungbauer/openshift-clusterconfig-gitops 21 | keywords: 22 | - security 23 | - acs 24 | - backup 25 | -------------------------------------------------------------------------------- /clusters/management-cluster/setup-acs-backup/LICENSE: -------------------------------------------------------------------------------- 1 | Copyright 2025 Thomas Jungbauer 2 | 3 | Licensed under the Apache License, Version 2.0 (the "License"); 4 | you may not use this file except in compliance with the License. 5 | You may obtain a copy of the License at 6 | 7 | http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | Unless required by applicable law or agreed to in writing, software 10 | distributed under the License is distributed on an "AS IS" BASIS, 11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | See the License for the specific language governing permissions and 13 | limitations under the License. -------------------------------------------------------------------------------- /clusters/management-cluster/setup-acs-backup/config.json: -------------------------------------------------------------------------------- 1 | { 2 | "namespace": "stackrox", 3 | "environment": "in-cluster" 4 | } -------------------------------------------------------------------------------- /clusters/management-cluster/setup-acs-backup/templates/_helpers.tpl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tjungbauer/openshift-clusterconfig-gitops/d47d85acc9324972e253db70a46fa16ee3c17d28/clusters/management-cluster/setup-acs-backup/templates/_helpers.tpl -------------------------------------------------------------------------------- /clusters/management-cluster/setup-acs-backup/values.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: &bu_name acs-backup 3 | backup_storage_size: &backup_storage_size "100Gi" 4 | 5 | rhacs-backup: 6 | # -- Enable ACS backup. 7 | # @default -- false 8 | enabled: true 9 | 10 | # Variables for the Namespace where ACS backup shall be executed. 11 | # Only required when not running in the ACS namespace (stackrox) 12 | namespace: stackrox 13 | 14 | serviceAccount: 15 | # -- ServiceAccount to run the backup 16 | # @default -- default 17 | name: *bu_name 18 | 19 | # -- Create service account or not 20 | # @default -- false 21 | create: true 22 | 23 | # Settings for the CronJob 24 | cronjob: 25 | # -- Name of the CronJob 26 | # @default -- acs-backup 27 | name: *bu_name 28 | 29 | # -- Namespace of the CronJob 30 | # @default -- stackrox 31 | namespace: stackrox 32 | 33 | # -- Syncwave for the CronJob 34 | # @default -- 5 35 | syncwave: 5 36 | 37 | # -- Schedule of the Cronjob, for example: daily at 4am 38 | schedule: "0 4 * * *" 39 | 40 | # Retention period for backup files (in days) 41 | # @default -- 30 42 | retention: 30 43 | 44 | # -- mount point inside the cronjob pod 45 | nfs_mountpath: /acs-backup 46 | 47 | # -- Image to use for the CronJob 48 | # @default -- registry.redhat.io/openshift4/ose-cli 49 | image: registry.redhat.io/openshift4/ose-cli 50 | 51 | # -- Custom annotations that shall be applied to the Cronjob 52 | # Add required key-value pairs as needed 53 | # @default -- {} 54 | annotations: {} 55 | 56 | # Settings for the PVC 57 | pvc: 58 | # -- Name of the PVC 59 | # @default -- acs-backup 60 | name: *bu_name 61 | 62 | # -- Syncwave for the PVC 63 | # @default -- 5 64 | syncwave: 5 65 | 66 | # -- using RWO accessMode, which is usually sufficient 67 | # @default -- ReadWriteOnce 68 | accessMode: "ReadWriteOnce" 69 | 70 | # -- Size of the Storage 71 | # @default -- 100Gi 72 | size: *backup_storage_size 73 | 74 | # -- StorageClass must be provided as empty value here, since NFS mount is not provided as storageclass. 75 | # @default -- N/A 76 | storageClass: "gp3-csi" 77 | 78 | # -- Set the name of the PV, only required if the PV will be created (see below) 79 | # @default -- false 80 | setVolumeName: false 81 | 82 | # -- Name of the PV 83 | # @default -- '' 84 | # volumeName: '' 85 | 86 | # -- Custom annotations that shall be applied to the PVC 87 | # Add required key-value pairs as needed 88 | # @default -- {} 89 | annotations: {} 90 | -------------------------------------------------------------------------------- /clusters/management-cluster/setup-acs/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: setup-acs 3 | description: Deploys Advanced Cluster Security (ACS) on target cluster. If enabled Central will be deployed too. 4 | home: https://github.com/tjungbauer/openshift-clusterconfig-gitops/tree/main/clusters/management-cluster/setup-acs 5 | version: 1.0.0 6 | dependencies: 7 | - name: tpl 8 | version: ~1.0.0 9 | repository: https://charts.stderr.at/ 10 | - name: rhacs-setup 11 | version: ~1.0.0 12 | repository: https://charts.stderr.at/ 13 | - name: helper-operator 14 | version: ~1.0.23 15 | repository: https://charts.stderr.at/ 16 | - name: helper-status-checker 17 | version: ~4.0.0 18 | repository: https://charts.stderr.at/ 19 | condition: helper-status-checker.enabled 20 | maintainers: 21 | - name: tjungbauer 22 | email: tjungbau@redhat.com 23 | url: https://blog.stderr.at/ 24 | sources: 25 | - https://github.com/tjungbauer/helm-charts 26 | - https://charts.stderr.at/ 27 | - https://github.com/tjungbauer/openshift-clusterconfig-gitops 28 | keywords: 29 | - security 30 | - acs 31 | -------------------------------------------------------------------------------- /clusters/management-cluster/setup-acs/LICENSE: -------------------------------------------------------------------------------- 1 | Copyright 2022 Thomas Jungbauer 2 | 3 | Licensed under the Apache License, Version 2.0 (the "License"); 4 | you may not use this file except in compliance with the License. 5 | You may obtain a copy of the License at 6 | 7 | http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | Unless required by applicable law or agreed to in writing, software 10 | distributed under the License is distributed on an "AS IS" BASIS, 11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | See the License for the specific language governing permissions and 13 | limitations under the License. -------------------------------------------------------------------------------- /clusters/management-cluster/setup-acs/config.json: -------------------------------------------------------------------------------- 1 | { 2 | "namespace": "stackrox", 3 | "environment": "in-cluster" 4 | } -------------------------------------------------------------------------------- /clusters/management-cluster/setup-acs/templates/_helpers.tpl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tjungbauer/openshift-clusterconfig-gitops/d47d85acc9324972e253db70a46fa16ee3c17d28/clusters/management-cluster/setup-acs/templates/_helpers.tpl -------------------------------------------------------------------------------- /clusters/management-cluster/setup-compliance-operator/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: setup-compliance-operator 3 | description: Deploy and configure the Compliance Operator 4 | home: https://github.com/tjungbauer/openshift-clusterconfig-gitops/tree/main/clusters/management-cluster/setup-compliance-operator 5 | version: 1.0.2 6 | dependencies: 7 | - name: tpl 8 | version: ~1.0.0 9 | repository: https://charts.stderr.at/ 10 | - name: compliance-operator-full-stack 11 | version: ~1.0.0 12 | repository: https://charts.stderr.at/ 13 | - name: helper-operator 14 | version: ~1.0.21 15 | repository: https://charts.stderr.at/ 16 | - name: helper-status-checker 17 | version: ~4.0.0 18 | repository: https://charts.stderr.at/ 19 | condition: helper-status-checker.enabled 20 | maintainers: 21 | - name: tjungbauer 22 | email: tjungbau@redhat.com 23 | url: https://blog.stderr.at/ 24 | sources: 25 | - https://github.com/tjungbauer/helm-charts 26 | - https://charts.stderr.at/ 27 | - https://github.com/tjungbauer/openshift-clusterconfig-gitops 28 | keywords: 29 | - compliance 30 | - security 31 | - acs 32 | -------------------------------------------------------------------------------- /clusters/management-cluster/setup-compliance-operator/LICENSE: -------------------------------------------------------------------------------- 1 | Copyright 2022 Thomas Jungbauer 2 | 3 | Licensed under the Apache License, Version 2.0 (the "License"); 4 | you may not use this file except in compliance with the License. 5 | You may obtain a copy of the License at 6 | 7 | http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | Unless required by applicable law or agreed to in writing, software 10 | distributed under the License is distributed on an "AS IS" BASIS, 11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | See the License for the specific language governing permissions and 13 | limitations under the License. -------------------------------------------------------------------------------- /clusters/management-cluster/setup-compliance-operator/README.md.gotmpl: -------------------------------------------------------------------------------- 1 | {{ template "doc.header" . }} 2 | 3 | 4 | This "wrapper" Helm Chart is used to deploy and configure Compliance Operator using a GitOps approach. 5 | It uses the Chart [Compliance Operator](https://github.com/tjungbauer/helm-charts/tree/main/charts/compliance-operator-full-stack) which mainly takes care to 6 | 7 | - Deploy the Operator and verify if the Operator installation was successful 8 | - Configure the Compliance Operator 9 | 10 | The values.yaml provides an example of possible settings. 11 | 12 | **NOTE**: Verify the article [Installing & Configuring Compliance Operator using GitOps](https://blog.stderr.at/gitopscollection/2024-04-25-installing-compliance-operator/) for more detailed information. 13 | 14 | {{ template "doc.deps" . }} 15 | 16 | {{ template "doc.maintainer_and_sources" . }} 17 | 18 | 19 | ## Example values files 20 | 21 | ```yaml 22 | --- 23 | # Install Operator Compliance Operator 24 | # Deploys Operator --> Subscription and Operatorgroup 25 | # Syncwave: 0 26 | helper-operator: 27 | operators: 28 | compliance-operator: 29 | enabled: true 30 | syncwave: '0' 31 | namespace: 32 | name: openshift-compliance 33 | create: true 34 | subscription: 35 | channel: stable 36 | approval: Automatic 37 | operatorName: compliance-operator 38 | source: redhat-operators 39 | sourceNamespace: openshift-marketplace 40 | operatorgroup: 41 | create: true 42 | notownnamespace: true 43 | 44 | helper-status-checker: 45 | enabled: true 46 | 47 | checks: 48 | - operatorName: compliance-operator 49 | namespace: 50 | name: openshift-compliance 51 | serviceAccount: 52 | name: "status-checker-compliance" 53 | 54 | compliance-operator-full-stack: 55 | compliance: 56 | namespace: 57 | name: openshift-compliance 58 | syncwave: '0' 59 | descr: 'Red Hat Compliance' 60 | scansettingbinding: 61 | enabled: true 62 | syncwave: '3' 63 | 64 | # Example 65 | tailored: 66 | enabled: false 67 | modified_profiles: 68 | - name: tailoredprofile-ocp4-cis 69 | description: Modified ocp4-cis profile 70 | title: Tailored Profile of ocp4-cis 71 | extends: ocp4-cis 72 | disableRule: 73 | - name: ocp4-scc-limit-container-allowed-capabilities 74 | rationale: Disabling CIS-OCP 5.2.8 that will always be triggered as long nutanix-csi does not provide SCC configuration 75 | 76 | profiles: 77 | - name: ocp4-cis-node 78 | kind: Profile # Could be Profile or TailedProfile 79 | - name: ocp4-cis 80 | kind: Profile 81 | scansetting: default 82 | ``` 83 | 84 | {{ template "doc.footer" . }} 85 | -------------------------------------------------------------------------------- /clusters/management-cluster/setup-compliance-operator/config.json: -------------------------------------------------------------------------------- 1 | { 2 | "namespace": "openshift-compliance", 3 | "environment": "in-cluster" 4 | } -------------------------------------------------------------------------------- /clusters/management-cluster/setup-compliance-operator/templates/_helpers.tpl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tjungbauer/openshift-clusterconfig-gitops/d47d85acc9324972e253db70a46fa16ee3c17d28/clusters/management-cluster/setup-compliance-operator/templates/_helpers.tpl -------------------------------------------------------------------------------- /clusters/management-cluster/setup-compliance-operator/values.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | # Install Operator Compliance Operator 4 | # Deploys Operator --> Subscription and Operatorgroup 5 | # Syncwave: 0 6 | helper-operator: 7 | operators: 8 | compliance-operator: 9 | enabled: true 10 | syncwave: '0' 11 | namespace: 12 | name: openshift-compliance 13 | create: true 14 | subscription: 15 | channel: stable 16 | approval: Automatic 17 | operatorName: compliance-operator 18 | source: redhat-operators 19 | sourceNamespace: openshift-marketplace 20 | operatorgroup: 21 | create: true 22 | notownnamespace: true 23 | 24 | helper-status-checker: 25 | enabled: true 26 | 27 | checks: 28 | - operatorName: compliance-operator 29 | namespace: 30 | name: openshift-compliance 31 | serviceAccount: 32 | name: "status-checker-compliance" 33 | 34 | 35 | compliance-operator-full-stack: 36 | compliance: 37 | namespace: 38 | name: openshift-compliance 39 | syncwave: '0' 40 | descr: 'Red Hat Compliance' 41 | scansettingbinding: 42 | enabled: true 43 | syncwave: '3' 44 | 45 | # Example 46 | tailored: 47 | enabled: false 48 | modified_profiles: 49 | - name: tailoredprofile-ocp4-cis 50 | description: Modified ocp4-cis profile 51 | title: Tailored Profile of ocp4-cis 52 | extends: ocp4-cis 53 | disableRule: 54 | - name: ocp4-scc-limit-container-allowed-capabilities 55 | rationale: Disabling CIS-OCP 5.2.8 that will always be triggered as long nutanix-csi does not provide SCC configuration 56 | 57 | profiles: 58 | - name: ocp4-cis-node 59 | kind: Profile # Could be Profile or TailedProfile 60 | - name: ocp4-cis 61 | kind: Profile 62 | scansetting: default 63 | -------------------------------------------------------------------------------- /clusters/management-cluster/setup-container-security-operator/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: setup-container-security-operator 3 | description: Setup the Quay Container Security Operator. 4 | version: 1.0.6 5 | dependencies: 6 | - name: tpl 7 | version: ~1.0.0 8 | repository: https://charts.stderr.at/ 9 | - name: helper-operator 10 | version: ~1.0.14 11 | repository: https://charts.stderr.at/ 12 | - name: helper-status-checker 13 | version: ~4.0.0 14 | repository: https://charts.stderr.at/ 15 | condition: helper-status-checker.enabled 16 | maintainers: 17 | - name: tjungbauer 18 | email: tjungbau@redhat.com 19 | keywords: 20 | - acs 21 | - security 22 | -------------------------------------------------------------------------------- /clusters/management-cluster/setup-container-security-operator/LICENSE: -------------------------------------------------------------------------------- 1 | Copyright 2022 Thomas Jungbauer 2 | 3 | Licensed under the Apache License, Version 2.0 (the "License"); 4 | you may not use this file except in compliance with the License. 5 | You may obtain a copy of the License at 6 | 7 | http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | Unless required by applicable law or agreed to in writing, software 10 | distributed under the License is distributed on an "AS IS" BASIS, 11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | See the License for the specific language governing permissions and 13 | limitations under the License. -------------------------------------------------------------------------------- /clusters/management-cluster/setup-container-security-operator/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | # setup-container-security-operator 4 | 5 | [![License](https://img.shields.io/badge/License-Apache_2.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) 6 | [![Linting](https://github.com/tjungbauer/openshift-clusterconfig-gitops/actions/workflows/linting.yml/badge.svg)](https://github.com/tjungbauer/openshift-clusterconfig-gitops/actions/workflows/linting.yml) 7 | [![Release Charts](https://github.com/tjungbauer/helm-charts/actions/workflows/release.yml/badge.svg)](https://github.com/tjungbauer/helm-charts/actions/workflows/release.yml) 8 | 9 | ![Version: 1.0.6](https://img.shields.io/badge/Version-1.0.6-informational?style=flat-square) 10 | 11 | 12 | 13 | ## Description 14 | 15 | Setup the Quay Container Security Operator. 16 | 17 | This "wrapper" Helm Chart is used to deploy Quay Container Security Operator using a GitOps approach. 18 | It calls the Chart [setup-container-security-operator](https://artifacthub.io/packages/helm/openshift-bootstraps/setup-container-security-operator) which takes care to deploy the Operator that does not require any additional configuration. 19 | 20 | The Operator does not require any additional configuration. It is installed... that's all. 21 | However, for the sake of consistency, I am still checking if the Operator deployment was successful (user helper-status-checker). 22 | 23 | ## Dependencies 24 | 25 | This chart has the following dependencies: 26 | 27 | | Repository | Name | Version | 28 | |------------|------|---------| 29 | | https://charts.stderr.at/ | helper-operator | ~1.0.14 | 30 | | https://charts.stderr.at/ | helper-status-checker | ~4.0.0 | 31 | | https://charts.stderr.at/ | tpl | ~1.0.0 | 32 | 33 | ## Maintainers 34 | 35 | | Name | Email | Url | 36 | | ---- | ------ | --- | 37 | | tjungbauer | | | 38 | 39 | ## Sources 40 | Source: 41 | 42 | Source code: 43 | 44 | ## Example values files 45 | 46 | ```yaml 47 | --- 48 | helper-operator: 49 | operators: 50 | security-operator: 51 | enabled: true 52 | syncwave: '0' 53 | namespace: 54 | name: openshift-operators 55 | create: false 56 | subscription: 57 | channel: stable-3.10 58 | approval: Automatic 59 | operatorName: container-security-operator 60 | source: redhat-operators 61 | sourceNamespace: openshift-marketplace 62 | operatorgroup: 63 | create: false 64 | notownnamespace: true 65 | 66 | helper-status-checker: 67 | enabled: true 68 | 69 | checks: 70 | 71 | - operatorName: container-security-operator 72 | namespace: 73 | name: openshift-operators 74 | syncwave: 3 75 | 76 | serviceAccount: 77 | name: "status-security-operator" 78 | ``` 79 | 80 | ---------------------------------------------- 81 | Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0) 82 | -------------------------------------------------------------------------------- /clusters/management-cluster/setup-container-security-operator/README.md.gotmpl: -------------------------------------------------------------------------------- 1 | {{ template "doc.header" . }} 2 | 3 | This "wrapper" Helm Chart is used to deploy Quay Container Security Operator using a GitOps approach. 4 | It calls the Chart [setup-container-security-operator](https://github.com/tjungbauer/helm-charts/tree/main/charts/setup-container-security-operator) which takes care to deploy the Operator that does not require any additional configuration. 5 | 6 | The Operator does not require any additional configuration. It is installed... that's all. 7 | However, for the sake of consistency, I am still checking if the Operator deployment was successful (user helper-status-checker). 8 | 9 | {{ template "doc.deps" . }} 10 | 11 | {{ template "doc.maintainer_and_sources" . }} 12 | 13 | 14 | ## Example values files 15 | 16 | ```yaml 17 | --- 18 | helper-operator: 19 | operators: 20 | security-operator: 21 | enabled: true 22 | syncwave: '0' 23 | namespace: 24 | name: openshift-operators 25 | create: false 26 | subscription: 27 | channel: stable-3.10 28 | approval: Automatic 29 | operatorName: container-security-operator 30 | source: redhat-operators 31 | sourceNamespace: openshift-marketplace 32 | operatorgroup: 33 | create: false 34 | notownnamespace: true 35 | 36 | helper-status-checker: 37 | enabled: true 38 | 39 | checks: 40 | 41 | - operatorName: container-security-operator 42 | namespace: 43 | name: openshift-operators 44 | syncwave: 3 45 | 46 | serviceAccount: 47 | name: "status-security-operator" 48 | ``` 49 | 50 | {{ template "doc.footer" . }} 51 | -------------------------------------------------------------------------------- /clusters/management-cluster/setup-container-security-operator/config.json: -------------------------------------------------------------------------------- 1 | { 2 | "namespace": "default", 3 | "environment": "in-cluster" 4 | } -------------------------------------------------------------------------------- /clusters/management-cluster/setup-container-security-operator/templates/_helpers.tpl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tjungbauer/openshift-clusterconfig-gitops/d47d85acc9324972e253db70a46fa16ee3c17d28/clusters/management-cluster/setup-container-security-operator/templates/_helpers.tpl -------------------------------------------------------------------------------- /clusters/management-cluster/setup-container-security-operator/values.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | helper-operator: 3 | operators: 4 | security-operator: 5 | enabled: true 6 | syncwave: '0' 7 | namespace: 8 | name: openshift-operators 9 | create: false 10 | subscription: 11 | channel: stable-3.11 12 | approval: Automatic 13 | operatorName: container-security-operator 14 | source: redhat-operators 15 | sourceNamespace: openshift-marketplace 16 | operatorgroup: 17 | create: false 18 | notownnamespace: true 19 | 20 | helper-status-checker: 21 | enabled: true 22 | 23 | checks: 24 | 25 | - operatorName: container-security-operator 26 | namespace: 27 | name: openshift-operators 28 | syncwave: 3 29 | 30 | serviceAccount: 31 | name: "status-security-operator" 32 | -------------------------------------------------------------------------------- /clusters/management-cluster/setup-cost-management-operator/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /clusters/management-cluster/setup-cost-management-operator/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: setup-cost-management-operator 3 | description: Setup Cost Management Operator 4 | version: 1.0.0 5 | dependencies: 6 | - name: tpl 7 | version: ~1.0.0 8 | repository: https://charts.stderr.at/ 9 | - name: helper-operator 10 | version: ~1.0.0 11 | repository: https://charts.stderr.at/ 12 | - name: helper-status-checker 13 | version: ~4.0.0 14 | repository: https://charts.stderr.at/ 15 | condition: helper-status-checker.enabled 16 | - name: cost-management 17 | version: ~1.0.0 18 | repository: https://charts.stderr.at/ 19 | maintainers: 20 | - name: tjungbauer 21 | -------------------------------------------------------------------------------- /clusters/management-cluster/setup-cost-management-operator/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | # setup-file-integrity-operator 4 | 5 | [![License](https://img.shields.io/badge/License-Apache_2.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) 6 | [![Linting](https://github.com/tjungbauer/openshift-clusterconfig-gitops/actions/workflows/linting.yml/badge.svg)](https://github.com/tjungbauer/openshift-clusterconfig-gitops/actions/workflows/linting.yml) 7 | [![Release Charts](https://github.com/tjungbauer/helm-charts/actions/workflows/release.yml/badge.svg)](https://github.com/tjungbauer/helm-charts/actions/workflows/release.yml) 8 | 9 | ![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) 10 | 11 | 12 | 13 | ## Description 14 | 15 | Setup File Integrity Operator 16 | 17 | This "wrapper" Helm Chart is used to deploy and configure the CostManagement Operator. 18 | This Operator can be used to get information about the usage (cpu, memory, etc) of different Namespace. 19 | 20 | Per default, it would like to upload the results to cloud.redhat.com. In the example below the airgapped method is used. In such a case, results must be downloaded manually from the persistent volume. 21 | 22 | It mainly uses the Chart [cost-management](https://github.com/tjungbauer/helm-charts/tree/main/charts/cost-management) which takes care of configuring the Operator. 23 | The [values-file](https://github.com/tjungbauer/helm-charts/tree/main/charts/cost-management) of the main chart provides further examples of possible settings. 24 | 25 | Three additional Charts are required as a dependency and are responsible for installing and verifying the Operator itself as well as providing a template library. 26 | Verify the README and/or the values files for further information. 27 | 28 | ## Dependencies 29 | 30 | This chart has the following dependencies: 31 | 32 | | Repository | Name | Version | 33 | |------------|------|---------| 34 | | https://charts.stderr.at/ | cost-management | ~1.0.0 | 35 | | https://charts.stderr.at/ | helper-operator | ~1.0.0 | 36 | | https://charts.stderr.at/ | helper-status-checker | ~4.0.0 | 37 | | https://charts.stderr.at/ | tpl | ~1.0.0 | 38 | 39 | ## Maintainers 40 | 41 | | Name | Email | Url | 42 | | ---- | ------ | --- | 43 | | tjungbauer | | | 44 | 45 | ## Sources 46 | Source: 47 | 48 | Source code: 49 | 50 | ## Example values files 51 | 52 | ```yaml 53 | --- 54 | 55 | cost-management: 56 | costmgmt: 57 | enabled: true 58 | 59 | name: costmanagementmetricscfg 60 | 61 | airgapped: true 62 | 63 | max_reports_to_store: 60 64 | 65 | # must be less or equal to 100 66 | # Default: 100 67 | # max_size_MB: 100 68 | upload_cycle: 360 69 | 70 | # Deploys Operator --> Subscription and Operatorgroup 71 | # Syncwave: 0 72 | helper-operator: 73 | operators: 74 | cost-management-operator: 75 | enabled: true 76 | syncwave: '0' 77 | namespace: 78 | name: costmanagement-metrics-operator 79 | create: true 80 | subscription: 81 | channel: stable 82 | approval: Automatic 83 | operatorName: costmanagement-metrics-operator 84 | source: redhat-operators 85 | sourceNamespace: openshift-marketplace 86 | operatorgroup: 87 | create: true 88 | notownnamespace: false 89 | 90 | helper-status-checker: 91 | enabled: true 92 | 93 | checks: 94 | - operatorName: costmanagement-metrics-operator 95 | namespace: 96 | name: costmanagement-metrics-operator 97 | serviceAccount: 98 | name: "sa-costmanagement-metrics" 99 | ``` 100 | 101 | ---------------------------------------------- 102 | Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0) 103 | -------------------------------------------------------------------------------- /clusters/management-cluster/setup-cost-management-operator/README.md.gotmpl: -------------------------------------------------------------------------------- 1 | {{ template "doc.header" . }} 2 | 3 | This "wrapper" Helm Chart is used to deploy and configure the CostManagement Operator. 4 | This Operator can be used to get information about the usage (cpu, memory, etc) of different Namespace. 5 | 6 | Per default, it would like to upload the results to cloud.redhat.com. In the example below the airgapped method is used. In such a case, results must be downloaded manually from the persistent volume. 7 | 8 | It mainly uses the Chart [cost-management](https://github.com/tjungbauer/helm-charts/tree/main/charts/cost-management) which takes care of configuring the Operator. 9 | The [values-file](https://github.com/tjungbauer/helm-charts/tree/main/charts/cost-management) of the main chart provides further examples of possible settings. 10 | 11 | 12 | Three additional Charts are required as a dependency and are responsible for installing and verifying the Operator itself as well as providing a template library. 13 | Verify the README and/or the values files for further information. 14 | 15 | {{ template "doc.deps" . }} 16 | 17 | {{ template "doc.maintainer_and_sources" . }} 18 | 19 | 20 | ## Example values files 21 | 22 | ```yaml 23 | --- 24 | 25 | cost-management: 26 | costmgmt: 27 | enabled: true 28 | 29 | name: costmanagementmetricscfg 30 | 31 | airgapped: true 32 | 33 | max_reports_to_store: 60 34 | 35 | # must be less or equal to 100 36 | # Default: 100 37 | # max_size_MB: 100 38 | upload_cycle: 360 39 | 40 | # Deploys Operator --> Subscription and Operatorgroup 41 | # Syncwave: 0 42 | helper-operator: 43 | operators: 44 | cost-management-operator: 45 | enabled: true 46 | syncwave: '0' 47 | namespace: 48 | name: costmanagement-metrics-operator 49 | create: true 50 | subscription: 51 | channel: stable 52 | approval: Automatic 53 | operatorName: costmanagement-metrics-operator 54 | source: redhat-operators 55 | sourceNamespace: openshift-marketplace 56 | operatorgroup: 57 | create: true 58 | notownnamespace: false 59 | 60 | helper-status-checker: 61 | enabled: true 62 | 63 | checks: 64 | - operatorName: costmanagement-metrics-operator 65 | namespace: 66 | name: costmanagement-metrics-operator 67 | serviceAccount: 68 | name: "sa-costmanagement-metrics" 69 | ``` 70 | 71 | {{ template "doc.footer" . }} 72 | -------------------------------------------------------------------------------- /clusters/management-cluster/setup-cost-management-operator/config.json: -------------------------------------------------------------------------------- 1 | { 2 | "namespace": "costmanagement-metrics-operator", 3 | "environment": "in-cluster" 4 | } -------------------------------------------------------------------------------- /clusters/management-cluster/setup-cost-management-operator/templates/_helpers.tpl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tjungbauer/openshift-clusterconfig-gitops/d47d85acc9324972e253db70a46fa16ee3c17d28/clusters/management-cluster/setup-cost-management-operator/templates/_helpers.tpl -------------------------------------------------------------------------------- /clusters/management-cluster/setup-cost-management-operator/values.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | cost-management: 4 | costmgmt: 5 | enabled: true 6 | 7 | name: costmanagementmetricscfg 8 | 9 | airgapped: true 10 | 11 | max_reports_to_store: 60 12 | 13 | # must be less or equal to 100 14 | # Default: 100 15 | # max_size_MB: 100 16 | upload_cycle: 360 17 | 18 | # Deploys Operator --> Subscription and Operatorgroup 19 | # Syncwave: 0 20 | helper-operator: 21 | operators: 22 | cost-management-operator: 23 | enabled: true 24 | syncwave: '0' 25 | namespace: 26 | name: costmanagement-metrics-operator 27 | create: true 28 | subscription: 29 | channel: stable 30 | approval: Automatic 31 | operatorName: costmanagement-metrics-operator 32 | source: redhat-operators 33 | sourceNamespace: openshift-marketplace 34 | operatorgroup: 35 | create: true 36 | notownnamespace: false 37 | 38 | helper-status-checker: 39 | enabled: true 40 | 41 | checks: 42 | - operatorName: costmanagement-metrics-operator 43 | namespace: 44 | name: costmanagement-metrics-operator 45 | serviceAccount: 46 | name: "sa-costmanagement-metrics" 47 | -------------------------------------------------------------------------------- /clusters/management-cluster/setup-crunchy-postgres/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: setup-crunchy-postgres 3 | description: Deploy and configure Crunchy Postgres Operator and Postgres clusters 4 | home: https://github.com/tjungbauer/openshift-clusterconfig-gitops/tree/main/clusters/management-cluster/setup-crunchy-postgres 5 | version: 1.0.0 6 | dependencies: 7 | - name: tpl 8 | version: ~1.0.0 9 | repository: https://charts.stderr.at/ 10 | - name: helper-operator 11 | version: ~1.0.21 12 | repository: https://charts.stderr.at/ 13 | - name: helper-status-checker 14 | version: ~4.0.0 15 | repository: https://charts.stderr.at/ 16 | condition: helper-status-checker.enabled 17 | - name: helper-objectstore 18 | version: ~1.0.0 19 | repository: https://charts.stderr.at/ 20 | condition: helper-objectstore.enabled 21 | maintainers: 22 | - name: tjungbauer 23 | email: tjungbau@redhat.com 24 | url: https://blog.stderr.at/ 25 | sources: 26 | - https://github.com/tjungbauer/helm-charts 27 | - https://charts.stderr.at/ 28 | - https://github.com/tjungbauer/openshift-clusterconfig-gitops 29 | keywords: 30 | - crunchy 31 | - database 32 | -------------------------------------------------------------------------------- /clusters/management-cluster/setup-crunchy-postgres/LICENSE: -------------------------------------------------------------------------------- 1 | Copyright 2025 Thomas Jungbauer 2 | 3 | Licensed under the Apache License, Version 2.0 (the "License"); 4 | you may not use this file except in compliance with the License. 5 | You may obtain a copy of the License at 6 | 7 | http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | Unless required by applicable law or agreed to in writing, software 10 | distributed under the License is distributed on an "AS IS" BASIS, 11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | See the License for the specific language governing permissions and 13 | limitations under the License. -------------------------------------------------------------------------------- /clusters/management-cluster/setup-crunchy-postgres/README.md.gotmpl: -------------------------------------------------------------------------------- 1 | {{ template "doc.header" . }} 2 | 3 | This chart shall install the Crunchy Data Porgres Operator and configure a Postgres Cluster resource. 4 | 5 | It is currently in a DRAFT state. 6 | 7 | {{ template "doc.deps" . }} 8 | 9 | {{ template "doc.maintainer_and_sources" . }} 10 | 11 | 12 | ## Example values files 13 | 14 | ```yaml 15 | --- 16 | 17 | ``` 18 | 19 | {{ template "doc.footer" . }} 20 | -------------------------------------------------------------------------------- /clusters/management-cluster/setup-crunchy-postgres/config.json: -------------------------------------------------------------------------------- 1 | { 2 | "namespace": "crunchy-postgres-operator", 3 | "environment": "in-cluster" 4 | } -------------------------------------------------------------------------------- /clusters/management-cluster/setup-crunchy-postgres/templates/PodMonitor.yaml: -------------------------------------------------------------------------------- 1 | 2 | {{- with .Values.postgresql }} 3 | {{ if eq (.enabled | toString) "true" }} 4 | {{- if .monitoring }} 5 | {{- if eq (.monitoring.enabled | toString) "true" }} 6 | --- 7 | apiVersion: monitoring.coreos.com/v1 8 | kind: PodMonitor 9 | metadata: 10 | name: postgres-monitor 11 | namespace: {{ $.Values.namespace }} 12 | labels: 13 | {{- include "tpl.labels" $ | nindent 4 }} 14 | annotations: 15 | argocd.argoproj.io/sync-wave: {{ .syncwave | quote | default "10" }} 16 | argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true 17 | spec: 18 | namespaceSelector: 19 | matchNames: 20 | - {{ $.Values.namespace }} 21 | podMetricsEndpoints: 22 | - interval: 30s 23 | path: /metrics 24 | port: exporter 25 | scheme: http 26 | scrapeTimeout: 29s 27 | selector: 28 | matchLabels: 29 | postgres-operator.crunchydata.com/cluster: {{ .name }} 30 | {{- end }} 31 | {{- end }} 32 | {{- end }} 33 | {{- end }} 34 | -------------------------------------------------------------------------------- /clusters/management-cluster/setup-crunchy-postgres/templates/_helpers.tpl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tjungbauer/openshift-clusterconfig-gitops/d47d85acc9324972e253db70a46fa16ee3c17d28/clusters/management-cluster/setup-crunchy-postgres/templates/_helpers.tpl -------------------------------------------------------------------------------- /clusters/management-cluster/setup-file-integrity-operator/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /clusters/management-cluster/setup-file-integrity-operator/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: setup-file-integrity-operator 3 | description: Setup File Integrity Operator 4 | version: 1.0.1 5 | dependencies: 6 | - name: helper-operator 7 | version: ~1.0.0 8 | repository: https://charts.stderr.at/ 9 | - name: helper-status-checker 10 | version: ~4.0.0 11 | repository: https://charts.stderr.at/ 12 | condition: helper-status-checker.enabled 13 | - name: file-integrity-operator 14 | version: ~1.0.0 15 | repository: https://charts.stderr.at/ 16 | - name: tpl 17 | version: ~1.0.0 18 | repository: https://charts.stderr.at/ 19 | maintainers: 20 | - name: tjungbauer 21 | -------------------------------------------------------------------------------- /clusters/management-cluster/setup-file-integrity-operator/README.md.gotmpl: -------------------------------------------------------------------------------- 1 | {{ template "doc.header" . }} 2 | 3 | This "wrapper" Helm Chart is used to deploy and configure the File Integrity Operator. 4 | This Operator can be used to verify if any file has been changed on the operating system. (based on AIDE). 5 | 6 | The example below provides a configuration for the worker nodes and the control planes. 7 | 8 | It mainly uses the Chart [file-integrity-operator](https://github.com/tjungbauer/helm-charts/tree/main/charts/file-integrity-operator) which takes care of configuring the Operator. 9 | The [values-file](https://github.com/tjungbauer/helm-charts/tree/main/charts/file-integrity-operator) of the main chart provides further examples of possible settings. 10 | 11 | 12 | Three additional Charts are required as a dependency and are responsible for installing and verifying the Operator itself as well as providing a template library. 13 | Verify the README and/or the values files for further information. 14 | 15 | {{ template "doc.deps" . }} 16 | 17 | {{ template "doc.maintainer_and_sources" . }} 18 | 19 | 20 | ## Example values files 21 | 22 | ```yaml 23 | --- 24 | 25 | # Deploys Operator --> Subscription and Operatorgroup 26 | # Syncwave: 0 27 | helper-operator: 28 | operators: 29 | file-integrity-operator: 30 | enabled: true 31 | syncwave: '0' 32 | namespace: 33 | name: openshift-file-integrity 34 | create: true 35 | subscription: 36 | channel: stable 37 | approval: Manual 38 | operatorName: file-integrity-operator 39 | source: redhat-operators 40 | sourceNamespace: openshift-marketplace 41 | operatorgroup: 42 | create: true 43 | notownnamespace: true 44 | 45 | helper-status-checker: 46 | enabled: true 47 | approver: true 48 | 49 | checks: 50 | - operatorName: file-integrity-operator 51 | namespace: 52 | name: openshift-file-integrity 53 | serviceAccount: 54 | name: "sa-file-integrity-checker" 55 | 56 | file-integrity-operator: 57 | aide: 58 | worker: 59 | enabled: true 60 | syncwave: 5 61 | name: worker-fileintegrity 62 | namespace: openshift-file-integrity 63 | selector: 64 | key: node-role.kubernetes.io/worker 65 | value: "" 66 | config: 67 | gracePeriod: 900 68 | maxBackups: 5 69 | customconfig: # Created if omitted 70 | enabled: false 71 | # name: myconfig 72 | # namespace: openshift-file-integrity 73 | # key: "config" 74 | 75 | # If you want this component to only run on specific nodes, you can 76 | # configure tolerations of tainted nodes. 77 | tolerations: 78 | - effect: NoSchedule 79 | key: node-role.kubernetes.io/worker 80 | operator: Exists 81 | 82 | controlplane: 83 | enabled: true 84 | syncwave: 10 85 | name: controlplane-fileintegrity 86 | namespace: openshift-file-integrity 87 | selector: 88 | key: node-role.kubernetes.io/master 89 | value: "" 90 | config: 91 | gracePeriod: 900 92 | maxBackups: 5 93 | customconfig: # Created if omitted 94 | enabled: true 95 | name: controlplane-aide-conf 96 | namespace: openshift-file-integrity 97 | key: "controlplane-aide.conf" 98 | 99 | # If you want this component to only run on specific nodes, you can 100 | # configure tolerations of tainted nodes. 101 | tolerations: 102 | - effect: NoSchedule 103 | key: node-role.kubernetes.io/master 104 | operator: Exists 105 | ``` 106 | 107 | {{ template "doc.footer" . }} 108 | -------------------------------------------------------------------------------- /clusters/management-cluster/setup-file-integrity-operator/config.json: -------------------------------------------------------------------------------- 1 | { 2 | "namespace": "openshift-file-integrity", 3 | "environment": "in-cluster" 4 | } -------------------------------------------------------------------------------- /clusters/management-cluster/setup-file-integrity-operator/templates/_helpers.tpl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tjungbauer/openshift-clusterconfig-gitops/d47d85acc9324972e253db70a46fa16ee3c17d28/clusters/management-cluster/setup-file-integrity-operator/templates/_helpers.tpl -------------------------------------------------------------------------------- /clusters/management-cluster/setup-file-integrity-operator/values.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | # Deploys Operator --> Subscription and Operatorgroup 4 | # Syncwave: 0 5 | helper-operator: 6 | operators: 7 | file-integrity-operator: 8 | enabled: true 9 | syncwave: '0' 10 | namespace: 11 | name: openshift-file-integrity 12 | create: true 13 | subscription: 14 | channel: stable 15 | approval: Manual 16 | operatorName: file-integrity-operator 17 | source: redhat-operators 18 | sourceNamespace: openshift-marketplace 19 | operatorgroup: 20 | create: true 21 | notownnamespace: true 22 | 23 | helper-status-checker: 24 | enabled: true 25 | approver: true 26 | 27 | checks: 28 | - operatorName: file-integrity-operator 29 | namespace: 30 | name: openshift-file-integrity 31 | serviceAccount: 32 | name: "sa-file-integrity-checker" 33 | 34 | file-integrity-operator: 35 | aide: 36 | worker: 37 | enabled: true 38 | syncwave: 5 39 | name: worker-fileintegrity 40 | namespace: openshift-file-integrity 41 | selector: 42 | key: node-role.kubernetes.io/worker 43 | value: "" 44 | config: 45 | gracePeriod: 900 46 | maxBackups: 5 47 | customconfig: # Created if omitted 48 | enabled: false 49 | # name: myconfig 50 | # namespace: openshift-file-integrity 51 | # key: "config" 52 | 53 | # If you want this component to only run on specific nodes, you can 54 | # configure tolerations of tainted nodes. 55 | tolerations: 56 | - effect: NoSchedule 57 | key: node-role.kubernetes.io/worker 58 | operator: Exists 59 | 60 | controlplane: 61 | enabled: true 62 | syncwave: 10 63 | name: controlplane-fileintegrity 64 | namespace: openshift-file-integrity 65 | selector: 66 | key: node-role.kubernetes.io/master 67 | value: "" 68 | config: 69 | gracePeriod: 900 70 | maxBackups: 5 71 | customconfig: # Created if omitted 72 | enabled: true 73 | name: controlplane-aide-conf 74 | namespace: openshift-file-integrity 75 | key: "controlplane-aide.conf" 76 | 77 | # If you want this component to only run on specific nodes, you can 78 | # configure tolerations of tainted nodes. 79 | tolerations: 80 | - effect: NoSchedule 81 | key: node-role.kubernetes.io/master 82 | operator: Exists 83 | -------------------------------------------------------------------------------- /clusters/management-cluster/setup-multicluster-observability/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: setup-multicluster-observability 3 | description: Enabled MutliClusterObservability once ACM has been installed 4 | version: 1.0.1 5 | dependencies: 6 | - name: tpl 7 | version: ~1.0.0 8 | repository: https://charts.stderr.at/ 9 | - name: helper-objectstore 10 | version: ~1.0.0 11 | repository: https://charts.stderr.at/ 12 | condition: helper-objectstore.enabled 13 | maintainers: 14 | - name: tjungbauer 15 | -------------------------------------------------------------------------------- /clusters/management-cluster/setup-multicluster-observability/config.json: -------------------------------------------------------------------------------- 1 | { 2 | "namespace": "open-cluster-management-observability", 3 | "environment": "in-cluster" 4 | } -------------------------------------------------------------------------------- /clusters/management-cluster/setup-multicluster-observability/templates/MultiClusterObservability.yaml: -------------------------------------------------------------------------------- 1 | {{ if eq (.Values.multicluster_observability.enabled | toString) "true" }} 2 | {{- with .Values.multicluster_observability }} 3 | --- 4 | apiVersion: observability.open-cluster-management.io/v1beta2 5 | kind: MultiClusterObservability 6 | metadata: 7 | name: observability 8 | spec: 9 | enableDownsampling: {{ .config.enableDownsampling | default "true" }} 10 | imagePullPolicy: {{ .imagePullPolicy | default "Always" }} 11 | observabilityAddonSpec: 12 | enableMetrics: {{ .config.addonSpec.enableMetrics | default "true" }} 13 | interval: {{ .config.addonSpec.interval | default "60" }} 14 | storageConfig: 15 | metricObjectStorage: 16 | name: {{ .s3_secretname }} 17 | key: thanos.yaml 18 | storeStorageSize: {{ .config.storage.storeStorageSize | default "10Gi" }} 19 | storageClass: {{ .config.storage.storageClass | default "gp2" }} 20 | advanced: 21 | {{- if .config.advanced.alertmanager }} 22 | alertmanager: 23 | {{ toYaml .config.advanced.alertmanager | indent 6 }} 24 | {{- end }} 25 | retentionConfig: 26 | blockDuration: {{ .config.advanced.retentionConfig.blockDuration | default "2h" }} 27 | deleteDelay: {{ .config.advanced.retentionConfig.deleteDelay | default "48h" }} 28 | retentionInLocal: {{ .config.advanced.retentionConfig.retentionInLocal | default "24h" }} 29 | retentionResolutionRaw: {{ .config.advanced.retentionConfig.retentionResolutionRaw | default "30d" }} 30 | retentionResolution5m: {{ .config.advanced.retentionConfig.retentionResolution5m | default "180d" }} 31 | retentionResolution1h: {{ .config.advanced.retentionConfig.retentionResolution1h | default "0d" }} 32 | {{- end }} 33 | {{- end }} 34 | -------------------------------------------------------------------------------- /clusters/management-cluster/setup-multicluster-observability/templates/_helpers.tpl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tjungbauer/openshift-clusterconfig-gitops/d47d85acc9324972e253db70a46fa16ee3c17d28/clusters/management-cluster/setup-multicluster-observability/templates/_helpers.tpl -------------------------------------------------------------------------------- /clusters/management-cluster/setup-multicluster-observability/templates/jobs/create-bucket-secret-crb.yaml: -------------------------------------------------------------------------------- 1 | {{- if eq ( .Values.multicluster_observability.enabled | toString) "true" }} 2 | {{- with .Values.multicluster_observability }} 3 | --- 4 | apiVersion: rbac.authorization.k8s.io/v1 5 | kind: ClusterRoleBinding 6 | metadata: 7 | name: create-s3-secret-crb-{{ .namespace }} 8 | annotations: 9 | argocd.argoproj.io/hook: Sync 10 | argocd.argoproj.io/hook-delete-policy: HookSucceeded 11 | argocd.argoproj.io/sync-wave: {{ .syncwave | default 3 | quote }} 12 | labels: 13 | {{- include "tpl.labels" $ | nindent 4 }} 14 | roleRef: 15 | apiGroup: rbac.authorization.k8s.io 16 | kind: ClusterRole 17 | name: admin 18 | subjects: 19 | - kind: ServiceAccount 20 | name: create-s3-secret-sa 21 | namespace: {{ .namespace }} 22 | {{- end }} 23 | {{- end }} 24 | -------------------------------------------------------------------------------- /clusters/management-cluster/setup-multicluster-observability/templates/jobs/create-bucket-secret-sa.yaml: -------------------------------------------------------------------------------- 1 | {{- if eq ( .Values.multicluster_observability.enabled | toString) "true" }} 2 | {{- with .Values.multicluster_observability }} 3 | --- 4 | apiVersion: v1 5 | kind: ServiceAccount 6 | metadata: 7 | name: create-s3-secret-sa 8 | namespace: {{ .namespace }} 9 | annotations: 10 | argocd.argoproj.io/hook: Sync 11 | argocd.argoproj.io/hook-delete-policy: HookSucceeded 12 | argocd.argoproj.io/sync-wave: {{ .syncwave | default 3 | quote }} 13 | labels: 14 | {{- include "tpl.labels" $ | nindent 4 }} 15 | {{- end }} 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /clusters/management-cluster/setup-multicluster-observability/templates/jobs/create-bucket-secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if eq ( .Values.multicluster_observability.enabled | toString) "true" }} 2 | {{- with .Values.multicluster_observability }} 3 | --- 4 | apiVersion: batch/v1 5 | kind: Job 6 | metadata: 7 | name: create-s3-bucket-secret 8 | namespace: {{ .namespace }} 9 | annotations: 10 | argocd.argoproj.io/hook: Sync 11 | argocd.argoproj.io/hook-delete-policy: HookSucceeded 12 | argocd.argoproj.io/sync-wave: {{ .syncwave | default "10" | quote }} 13 | labels: 14 | {{- include "tpl.labels" $ | nindent 4 }} 15 | spec: 16 | template: 17 | metadata: 18 | name: create-s3-secret 19 | spec: 20 | containers: 21 | - name: create-s3-secret 22 | image: registry.redhat.io/openshift4/ose-cli:latest 23 | command: 24 | - /bin/bash 25 | - -c 26 | - | 27 | #!/usr/bin/env bash 28 | 29 | # Sleeping before starting with the work, to be sure the bucket has been created. 30 | SLEEPER_TMP=0 31 | 32 | printf "Waiting 20 seconds before I start with the generation of the configuration\n" 33 | 34 | while [[ $SLEEPER_TMP -le "20" ]]; do 35 | echo -n "." 36 | sleep 1 37 | SLEEPER_TMP=$(($SLEEPER_TMP+1)) 38 | done 39 | 40 | printf "\nTrying to create the required ACM secret file\n" 41 | 42 | bucket_user=`cat /tmp/bucket-secret/AWS_ACCESS_KEY_ID` 43 | 44 | bucket_secret=`cat /tmp/bucket-secret/AWS_SECRET_ACCESS_KEY` 45 | 46 | bucket_name=`cat /tmp/s3-bucket/BUCKET_NAME` 47 | 48 | bucket_host=`cat /tmp/s3-bucket/BUCKET_HOST` 49 | 50 | bucket_region=`cat /tmp/s3-bucket/BUCKET_REGION` 51 | 52 | oc create secret generic {{ .s3_secretname }} --from-literal thanos.yaml="type: s3 53 | config: 54 | bucket: ${bucket_name} 55 | endpoint: ${bucket_host} 56 | insecure: true 57 | access_key: ${bucket_user} 58 | secret_key: ${bucket_secret}" --type=Opaque 59 | 60 | printf "\nSecret {{ .s3_secretname }} has been created\n" 61 | volumeMounts: 62 | - name: bucket-secret 63 | mountPath: "/tmp/bucket-secret" 64 | readOnly: true 65 | - name: s3-bucket 66 | mountPath: /tmp/s3-bucket 67 | volumes: 68 | - name: bucket-secret 69 | secret: 70 | secretName: {{ .bucket.name }} 71 | - name: s3-bucket 72 | configMap: 73 | name: {{ .bucket.name }} 74 | restartPolicy: Never 75 | serviceAccountName: create-s3-secret-sa 76 | {{- end }} 77 | {{- end }} 78 | -------------------------------------------------------------------------------- /clusters/management-cluster/setup-multicluster-observability/templates/namespace.yaml: -------------------------------------------------------------------------------- 1 | {{ if eq (.Values.multicluster_observability.enabled | toString) "true" }} 2 | --- 3 | apiVersion: v1 4 | kind: Namespace 5 | metadata: 6 | name: open-cluster-management-observability 7 | labels: 8 | openshift.io/cluster-monitoring: "true" 9 | {{- include "tpl.labels" $ | nindent 4 }} 10 | {{- end }} 11 | -------------------------------------------------------------------------------- /clusters/management-cluster/setup-multicluster-observability/values.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | storageclassname: &storageclassname observability-bucket-storage-class 3 | bucketname: &bucketname multicluster-observability-bucket 4 | 5 | multicluster_observability: 6 | enabled: true 7 | namespace: open-cluster-management-observability 8 | s3_secretname: thanos-object-store 9 | bucket: 10 | name: *bucketname 11 | 12 | config: 13 | addonSpec: 14 | enableMetrics: true 15 | # interval: 60 16 | 17 | # Enable or disable the downsampling. 18 | # The default is true. 19 | # 20 | # Note: Disabling downsampling is not recommended as querying long time ranges without non-downsampled data is not efficient and useful. 21 | # enableDownSampling: true 22 | 23 | storage: 24 | # The amount of storage applied to the Observability stateful sets, i.e. Thanos store, Rule, compact and receiver. 25 | # Default: 10Gi 26 | # storeStorageSize: 10Gi 27 | 28 | # Specify the storageClass Stateful Sets. This storage class will also be used for Object Storage if 29 | # MetricObjectStorage was configured for the system to create the storage." 30 | # Default: gp2 31 | storageClass: gp3-csi 32 | 33 | # Advanced configurations for observability 34 | advanced: 35 | 36 | # Specifies Alertmanager additional configuration 37 | # @default -- empty 38 | alertmanager: {} 39 | 40 | # For exmaple mount additional secrets: 41 | # secrets: 42 | # - smtp-config 43 | 44 | # Specifies the data retention configurations to be used by Observability 45 | retentionConfig: 46 | # configure --tsdb.block-duration in rule (Block duration for TSDB block) 47 | # Default is 2h 48 | # blockDuration: 2h 49 | 50 | # configure --delete-delay in compact Time before a block marked for deletion is deleted from bucket. 51 | # Default is 48h 52 | # deleteDelay: 48h 53 | 54 | # How long to retain raw samples in a local disk. It applies to rule/receive: --tsdb.retention in receive --tsdb.retention in rule. 55 | # Default is 24h. 56 | # retentionInLocal: 24h 57 | 58 | # How long to retain raw samples in a bucket. 59 | # Default is 30d. 60 | retentionResolutionRaw: 10d 61 | 62 | # How long to retain samples of resolution 1 (5 minutes) in a bucket. 63 | # Default is 180d 64 | retentionResolution5m: 90d 65 | 66 | # How long to retain samples of resolution 2 (1 hour) in a bucket. 67 | # Default is 0d. 68 | retentionResolution1h: 10d 69 | 70 | # A helper chart that simply creates another backingstore for quay. 71 | # This is a chart in a very early state, and not everything can be customized for now. 72 | # It will create the objects: 73 | # - BackingStore 74 | # - BackingClass 75 | # - StorageClass 76 | 77 | # NOTE: Currently only PV type is supported 78 | helper-objectstore: 79 | enabled: true 80 | # syncwave: 1 81 | 82 | # Name of the BackingStore 83 | backingstore_name: observability-backingstore 84 | # Size of the BackingStore 85 | backingstore_size: 200Gi 86 | limits_cpu: 500m 87 | limits_memory: 2Gi 88 | # numOfVolumes: 1 89 | # type: pv-pool 90 | 91 | # The StorageClass the BackingStore is based on 92 | baseStorageClass: gp3-csi 93 | 94 | # Name of the StorageClass that shall be enabled. 95 | storageclass_name: *storageclassname 96 | 97 | # Bucket that shall be created 98 | bucket: 99 | enabled: true 100 | name: *bucketname 101 | namespace: open-cluster-management-observability 102 | 103 | # is_secure: true 104 | # port: 443 105 | 106 | # Name of the storageclass 107 | # Default: openshift-storage.noobaa.io 108 | # a separate StorageClass with BackingStore and BackingClass can be created. 109 | storageclass: *storageclassname 110 | 111 | # Syncwave for bucketclaim creation. This should be done very early, but it depends on ODF. 112 | # Default: 2 113 | syncwave: 2 114 | -------------------------------------------------------------------------------- /clusters/management-cluster/setup-network-observability/Chart.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v2 3 | name: setup-network-observability 4 | description: Installs and configures OpenShift Network Observability. 5 | version: 1.0.1 6 | dependencies: 7 | - name: tpl 8 | version: ~1.0.0 9 | repository: https://charts.stderr.at/ 10 | - name: helper-loki-bucket-secret 11 | version: ~1.0.0 12 | repository: https://charts.stderr.at/ 13 | condition: helper-loki-bucket-secret.enabled 14 | - name: helper-operator 15 | version: ~1.0.0 16 | repository: https://charts.stderr.at/ 17 | # - name: helper-status-checker 18 | # version: ~4.0.0 19 | # repository: https://charts.stderr.at/ 20 | - name: helper-objectstore 21 | version: ~1.0.0 22 | repository: https://charts.stderr.at/ 23 | condition: helper-objectstore.enabled 24 | - name: network-observability 25 | version: ~2.0.0 26 | repository: https://charts.stderr.at/ 27 | condition: network-observability.enabled 28 | - name: helper-lokistack 29 | version: ~1.0.0 30 | repository: https://charts.stderr.at/ 31 | condition: helper-lokistack.enabled 32 | maintainers: 33 | - name: tjungbauer 34 | -------------------------------------------------------------------------------- /clusters/management-cluster/setup-network-observability/config.json: -------------------------------------------------------------------------------- 1 | { 2 | "namespace": "openshift-netobserv-operator", 3 | "environment": "in-cluster" 4 | } -------------------------------------------------------------------------------- /clusters/management-cluster/setup-network-observability/templates/_helpers.tpl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tjungbauer/openshift-clusterconfig-gitops/d47d85acc9324972e253db70a46fa16ee3c17d28/clusters/management-cluster/setup-network-observability/templates/_helpers.tpl -------------------------------------------------------------------------------- /clusters/management-cluster/setup-openshift-data-foundation/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: clusterbranding 3 | description: Deploys Cluster Branding such as custom Login Page or Logo etc. 4 | version: 1.0.2 5 | dependencies: 6 | - name: tpl 7 | version: ~1.0.0 8 | repository: https://charts.stderr.at/ 9 | - name: openshift-data-foundation 10 | version: ~1.0.10 11 | repository: https://charts.stderr.at/ 12 | - name: helper-operator 13 | version: ~1.0.14 14 | repository: https://charts.stderr.at/ 15 | - name: helper-status-checker 16 | version: ~4.0.0 17 | repository: https://charts.stderr.at/ 18 | condition: helper-status-checker.enabled 19 | maintainers: 20 | - name: tjungbauer 21 | -------------------------------------------------------------------------------- /clusters/management-cluster/setup-openshift-data-foundation/LICENSE: -------------------------------------------------------------------------------- 1 | Copyright 2022 Thomas Jungbauer 2 | 3 | Licensed under the Apache License, Version 2.0 (the "License"); 4 | you may not use this file except in compliance with the License. 5 | You may obtain a copy of the License at 6 | 7 | http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | Unless required by applicable law or agreed to in writing, software 10 | distributed under the License is distributed on an "AS IS" BASIS, 11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | See the License for the specific language governing permissions and 13 | limitations under the License. -------------------------------------------------------------------------------- /clusters/management-cluster/setup-openshift-data-foundation/config.json: -------------------------------------------------------------------------------- 1 | { 2 | "namespace": "openshift-storage", 3 | "environment": "in-cluster" 4 | } -------------------------------------------------------------------------------- /clusters/management-cluster/setup-openshift-data-foundation/templates/_helpers.tpl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tjungbauer/openshift-clusterconfig-gitops/d47d85acc9324972e253db70a46fa16ee3c17d28/clusters/management-cluster/setup-openshift-data-foundation/templates/_helpers.tpl -------------------------------------------------------------------------------- /clusters/management-cluster/setup-openshift-logging/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: setup-openshift-logging 3 | description: Installs and configures OpenShift Logging by deploying Logging and Loki Operator and configuring them accordingly. Example configuration is creating a Bucket using OpenShift Data Foundation. 4 | version: 1.0.1 5 | dependencies: 6 | - name: tpl 7 | version: ~1.0.0 8 | repository: https://charts.stderr.at/ 9 | - name: helper-operator 10 | version: ~1.0.18 11 | repository: https://charts.stderr.at/ 12 | - name: helper-status-checker 13 | version: ~4.0.0 14 | repository: https://charts.stderr.at/ 15 | condition: helper-status-checker.enabled 16 | - name: openshift-logging 17 | version: ~3.0.0 18 | repository: https://charts.stderr.at/ 19 | - name: helper-loki-bucket-secret 20 | version: ~1.0.0 21 | repository: https://charts.stderr.at/ 22 | condition: helper-loki-bucket-secret.enabled 23 | - name: helper-objectstore 24 | version: ~1.0.0 25 | repository: https://charts.stderr.at/ 26 | condition: helper-objectstore.enabled 27 | - name: helper-lokistack 28 | version: ~1.0.0 29 | repository: https://charts.stderr.at/ 30 | condition: helper-lokistack.enabled 31 | maintainers: 32 | - name: tjungbauer 33 | email: tjungbau@redhat.com 34 | url: https://blog.stderr.at/ 35 | sources: 36 | - https://github.com/tjungbauer/helm-charts 37 | - https://charts.stderr.at/ 38 | - https://github.com/tjungbauer/openshift-clusterconfig-gitops 39 | home: https://github.com/tjungbauer/openshift-clusterconfig-gitops/tree/main/clusters/management-cluster/setup-openshift-logging 40 | keywords: 41 | - logging 42 | - loki 43 | -------------------------------------------------------------------------------- /clusters/management-cluster/setup-openshift-logging/LICENSE: -------------------------------------------------------------------------------- 1 | Copyright 2022 Thomas Jungbauer 2 | 3 | Licensed under the Apache License, Version 2.0 (the "License"); 4 | you may not use this file except in compliance with the License. 5 | You may obtain a copy of the License at 6 | 7 | http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | Unless required by applicable law or agreed to in writing, software 10 | distributed under the License is distributed on an "AS IS" BASIS, 11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | See the License for the specific language governing permissions and 13 | limitations under the License. -------------------------------------------------------------------------------- /clusters/management-cluster/setup-openshift-logging/config.json: -------------------------------------------------------------------------------- 1 | { 2 | "namespace": "openshift-logging", 3 | "environment": "in-cluster" 4 | } -------------------------------------------------------------------------------- /clusters/management-cluster/setup-openshift-logging/templates/UIPlugin.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.observability_ui_plugin }} 2 | {{- if eq ( .Values.observability_ui_plugin.enabled | toString) "true" }} 3 | --- 4 | apiVersion: observability.openshift.io/v1alpha1 5 | kind: UIPlugin 6 | metadata: 7 | name: {{ .Values.observability_ui_plugin.name}} 8 | spec: 9 | logging: 10 | logsLimit: {{ .Values.observability_ui_plugin.logsLimit}} 11 | lokiStack: 12 | name: {{.Values.lokistack }} 13 | timeout: {{ .Values.observability_ui_plugin.timeout}} 14 | type: {{ .Values.observability_ui_plugin.type}} 15 | {{- end }} 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /clusters/management-cluster/setup-openshift-logging/templates/_helpers.tpl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tjungbauer/openshift-clusterconfig-gitops/d47d85acc9324972e253db70a46fa16ee3c17d28/clusters/management-cluster/setup-openshift-logging/templates/_helpers.tpl -------------------------------------------------------------------------------- /clusters/management-cluster/setup-quay/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /clusters/management-cluster/setup-quay/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: setup-quay 3 | description: Setup Quay Registry 4 | version: 2.0.0 5 | dependencies: 6 | - name: tpl 7 | version: ~1.0.0 8 | repository: https://charts.stderr.at/ 9 | - name: quay-registry-setup 10 | version: ~2.0.0 11 | repository: https://charts.stderr.at/ 12 | - name: helper-operator 13 | version: ~1.0.0 14 | repository: https://charts.stderr.at/ 15 | - name: helper-status-checker 16 | version: ~4.0.0 17 | repository: https://charts.stderr.at/ 18 | condition: helper-status-checker.enabled 19 | - name: helper-objectstore 20 | version: ~1.0.0 21 | repository: https://charts.stderr.at/ 22 | condition: helper-objectstore.enabled 23 | maintainers: 24 | - name: tjungbauer 25 | -------------------------------------------------------------------------------- /clusters/management-cluster/setup-quay/config.json: -------------------------------------------------------------------------------- 1 | { 2 | "namespace": "quay-enterprise", 3 | "environment": "in-cluster" 4 | } -------------------------------------------------------------------------------- /clusters/management-cluster/setup-quay/templates/_helpers.tpl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tjungbauer/openshift-clusterconfig-gitops/d47d85acc9324972e253db70a46fa16ee3c17d28/clusters/management-cluster/setup-quay/templates/_helpers.tpl -------------------------------------------------------------------------------- /clusters/management-cluster/setup-rh-build-of-keycloak/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: setup-rh-build-of-keycloak 3 | description: Deploy and configure the operator Red Hat Build of Keycloak 4 | home: https://github.com/tjungbauer/openshift-clusterconfig-gitops/tree/main/clusters/management-cluster/setup-rh-build-of-keycloak 5 | version: 1.0.1 6 | dependencies: 7 | - name: tpl 8 | version: ~1.0.0 9 | repository: https://charts.stderr.at/ 10 | - name: helper-operator 11 | version: ~1.0.21 12 | repository: https://charts.stderr.at/ 13 | - name: helper-status-checker 14 | version: ~4.0.0 15 | repository: https://charts.stderr.at/ 16 | condition: helper-status-checker.enabled 17 | - name: cert-manager 18 | version: ~1.0.0 19 | repository: https://charts.stderr.at/ 20 | condition: cert-manager.enabled 21 | - name: rh-build-keycloak 22 | version: ~1.0.0 23 | repository: https://charts.stderr.at/ 24 | condition: keycloak.enabled 25 | maintainers: 26 | - name: tjungbauer 27 | email: tjungbau@redhat.com 28 | url: https://blog.stderr.at/ 29 | sources: 30 | - https://github.com/tjungbauer/helm-charts 31 | - https://charts.stderr.at/ 32 | - https://github.com/tjungbauer/openshift-clusterconfig-gitops 33 | keywords: 34 | - keycloak 35 | - sso 36 | -------------------------------------------------------------------------------- /clusters/management-cluster/setup-rh-build-of-keycloak/LICENSE: -------------------------------------------------------------------------------- 1 | Copyright 2025 Thomas Jungbauer 2 | 3 | Licensed under the Apache License, Version 2.0 (the "License"); 4 | you may not use this file except in compliance with the License. 5 | You may obtain a copy of the License at 6 | 7 | http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | Unless required by applicable law or agreed to in writing, software 10 | distributed under the License is distributed on an "AS IS" BASIS, 11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | See the License for the specific language governing permissions and 13 | limitations under the License. -------------------------------------------------------------------------------- /clusters/management-cluster/setup-rh-build-of-keycloak/README.md.gotmpl: -------------------------------------------------------------------------------- 1 | {{ template "doc.header" . }} 2 | 3 | This chart will perform: 4 | 1. Installation of RH build of Keycloak Operator 5 | 2. Configuration of Keycloak instance 6 | 3. Installation of an example database (optional) 7 | 4. Reqesting a Certificate using cert-manager (optional) 8 | 9 | {{ template "doc.deps" . }} 10 | 11 | {{ template "doc.maintainer_and_sources" . }} 12 | 13 | 14 | ## Example values files 15 | 16 | ```yaml 17 | --- 18 | namespace: &namespace "keycloak" 19 | ssohostname: &ssohostname sss.apps.ocp.aws.ispworld.at 20 | 21 | cert-manager: 22 | enabled: true 23 | 24 | certificates: 25 | enabled: true 26 | 27 | # List of certificates 28 | certificate: 29 | - name: keycloak-certificate 30 | enabled: true 31 | namespace: *namespace 32 | syncwave: "0" 33 | secretName: keycloak-certificate 34 | 35 | dnsNames: 36 | - *ssohostname 37 | 38 | # Reference to the issuer that shall be used. 39 | issuerRef: 40 | name: letsencrypt-prod 41 | kind: ClusterIssuer 42 | 43 | # -- The following section contains the configuration for the Red Hat build of Keycloak. 44 | rh-build-keycloak: 45 | enabled: true 46 | 47 | namespace: 48 | name: *namespace 49 | create: true 50 | 51 | keycloak: 52 | name: example-keycloak 53 | namespace: *namespace 54 | 55 | hostname: 56 | hostname: *ssohostname 57 | 58 | http: 59 | tlsSecret: "keycloak-certificate" 60 | 61 | db: 62 | use_example_db_sta: true 63 | exmple_db_user: testuser 64 | example_db_pass: "" 65 | 66 | # Install Operator Compliance Operator 67 | # Deploys Operator --> Subscription and Operatorgroup 68 | # Syncwave: 0 69 | helper-operator: 70 | operators: 71 | rhbk-operator: 72 | enabled: true 73 | syncwave: '0' 74 | namespace: 75 | name: *namespace 76 | create: false 77 | subscription: 78 | channel: stable-v22 79 | approval: Automatic 80 | operatorName: rhbk-operator 81 | source: redhat-operators 82 | sourceNamespace: openshift-marketplace 83 | operatorgroup: 84 | create: true 85 | notownnamespace: false 86 | 87 | helper-status-checker: 88 | enabled: true 89 | 90 | checks: 91 | - operatorName: rhbk-operator 92 | namespace: 93 | name: rhbk-operator 94 | serviceAccount: 95 | name: "status-checker-rhbk" 96 | ``` 97 | 98 | {{ template "doc.footer" . }} 99 | -------------------------------------------------------------------------------- /clusters/management-cluster/setup-rh-build-of-keycloak/config.json: -------------------------------------------------------------------------------- 1 | { 2 | "namespace": "keycloak", 3 | "environment": "in-cluster" 4 | } -------------------------------------------------------------------------------- /clusters/management-cluster/setup-rh-build-of-keycloak/templates/_helpers.tpl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tjungbauer/openshift-clusterconfig-gitops/d47d85acc9324972e253db70a46fa16ee3c17d28/clusters/management-cluster/setup-rh-build-of-keycloak/templates/_helpers.tpl -------------------------------------------------------------------------------- /clusters/management-cluster/setup-rh-build-of-keycloak/values.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | namespace: &namespace "keycloak" 3 | ssohostname: &ssohostname sso.apps.ocp.aws.ispworld.at 4 | 5 | cert-manager: 6 | enabled: true 7 | 8 | certificates: 9 | enabled: true 10 | 11 | # List of certificates 12 | certificate: 13 | - name: keycloak-certificate 14 | enabled: true 15 | namespace: *namespace 16 | syncwave: "0" 17 | secretName: keycloak-certificate 18 | 19 | dnsNames: 20 | - *ssohostname 21 | 22 | # Reference to the issuer that shall be used. 23 | issuerRef: 24 | name: letsencrypt-prod 25 | kind: ClusterIssuer 26 | 27 | # -- The following section contains the configuration for the Red Hat build of Keycloak. 28 | rh-build-keycloak: 29 | enabled: true 30 | 31 | namespace: 32 | name: *namespace 33 | create: true 34 | 35 | keycloak: 36 | name: keycloak 37 | namespace: *namespace 38 | 39 | hostname: 40 | hostname: *ssohostname 41 | 42 | http: 43 | tlsSecret: "keycloak-certificate" 44 | 45 | db: 46 | use_example_db_sta: true 47 | exmple_db_user: testuser 48 | example_db_pass: "" 49 | 50 | additionalAnnotations: 51 | argocd.argoproj.io/sync-wave: '10' 52 | argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true 53 | 54 | # Install Operator Compliance Operator 55 | # Deploys Operator --> Subscription and Operatorgroup 56 | # Syncwave: 0 57 | helper-operator: 58 | operators: 59 | rhbk-operator: 60 | enabled: true 61 | syncwave: '0' 62 | namespace: 63 | name: *namespace 64 | create: false 65 | subscription: 66 | channel: stable-v22 67 | approval: Automatic 68 | operatorName: rhbk-operator 69 | source: redhat-operators 70 | sourceNamespace: openshift-marketplace 71 | operatorgroup: 72 | create: true 73 | notownnamespace: false 74 | 75 | helper-status-checker: 76 | enabled: true 77 | 78 | checks: 79 | - operatorName: rhbk-operator 80 | namespace: 81 | name: *namespace 82 | serviceAccount: 83 | name: "status-checker-rhbk" 84 | -------------------------------------------------------------------------------- /clusters/management-cluster/trusted-profile-analyzer/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: setup-trusted-profile-analyzer 3 | description: Setup Trusted Profile Analyzer 4 | version: 1.0.0 5 | dependencies: 6 | - name: tpl 7 | version: ~1.0.0 8 | repository: https://charts.stderr.at/ 9 | - name: helper-objectstore 10 | version: ~1.0.0 11 | repository: https://charts.stderr.at/ 12 | condition: helper-objectstore.enabled 13 | - name: redhat-trusted-profile-analyzer 14 | version: ~1.0.0 15 | repository: https://charts.openshift.io/ 16 | maintainers: 17 | - name: tjungbauer 18 | -------------------------------------------------------------------------------- /clusters/management-cluster/trusted-profile-analyzer/config.json: -------------------------------------------------------------------------------- 1 | { 2 | "namespace": "trusted-profile-analyzer", 3 | "environment": "in-cluster" 4 | } -------------------------------------------------------------------------------- /clusters/management-cluster/trusted-profile-analyzer/templates/SEALED-postgresql-user-credentials.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: bitnami.com/v1alpha1 3 | kind: SealedSecret 4 | metadata: 5 | creationTimestamp: null 6 | name: postgresql-credentials 7 | namespace: trusted-profile-analyzer 8 | spec: 9 | encryptedData: 10 | db.host: AgAiblrXew/jaQt4E3oz9xEJyuYqmwxmcBUqUM1esPxxwga/DTXRgDjKC+3nLYcWl6ejCHjhiaB08E/5EZoElCFIhT39Vl9ZiuMwHtzOdxrY/Rx4ZvIRRt/w92NptxDGH32hykh0zRHIPsJaSsJHHosrzCwO6Tx1qhwj9wL8/yJr+87Bdd1Vk33n56uLDg71sNrHdQrXNzTK+KkLwypwqaGshAKt5NtmSFj8y0iEL+57yB3W8kIRZQdEPOS1gU8MYybMYhhXH8B0811uuo4rK+Hr2GLVZoakPS3esemSA8HyznJwOg62ODwHshDs3dEBBWUaqDDanCzxN5tRSPCzDVB5CCmcQaDREwFg30K/hevNiXPeOgssVrCPAroYarg7Iq+PjK/79pn4qFVBr4dgYhcgC1mw4KhqxvgQrOgcDz6hXfhxKrs/eY+57q2OCVjxG6caqiZ2Lb6RFD+mZLTyBlfYGNOwDbtLx8KfFieRg8IPNEmMXPAkEZZryNngeDsow7TTv3MpXNLnvx+GFFjqEmvXVVdB8Hs0A1wUkpy9pBURcrHlLoRZVzITOBk7hLDtQk6p8vZZQNodCRxPm457mwK+HHJhhCCo2zXOJsgYgHdLB+1Oj51vaUQOJUmtwmIFplgIRHYRgYosoN35eb50uCpmT4AF0MdxDU4htYfistsvbz2hAnvkatsIXOdkeUshUA2oCFiGUpDR5WLKxCgViIMKp/7KIZRzed4vw6UZOlPmHmO+9IO+IC4fBr64+/yB0IkoPs2OAek= 11 | db.name: AgDOu/5Z9e+RkO9xduQaTKNC9szKkcVPeXJz5EGBEdnHlFgO45IQt0LspAavhg6UR1veWECWvWKg73sCULtMH1y+5R+oQ9RPQ11mbPSZfjGUFXEgRQ1WngbUqh21IX+ygWK8QUnxdenIiwZ7ruWHVVBZuCYV0tLHPwSkT5WKpSXP8hLLQkxNOlXoq9S6WbIu2LyGFNGCJTrD2khsVuBC1XEL8bdlGh1HsKKeUU8t9pgdDoJG6gj1l0fRgVqyQVr5TU1it8rlHo688FiZ49YN47d6ohRsZM2XJHchylyslgROPuw8h2VEu7J6v92sfpNxFdrGglbBaq1MKtWn9AVzDBWFRhGJ5w5bivE5MDoF3FCZ0EqeEbtlw/QemkQhYmQQTMK+t5re4SuU6VXk2yxossXZ2KZOaF9TSypFsLXbB/OPGBxg/ooiVbOKDZmr3IuY6nZlji/ETlzgGwi2Icc/q/gbtl9Zl7jjmApR4wh5DAkRYivf620qXWJKsRU2b3SeFftC3jw9r9avKhvOx5vUEpsUJyVR0gY3nBQjvZcxwKdx3MXDsmbfY4ZSd/D8zfGqRbxWI9X0p9fNnZjVafMgJ/xTQNjmgQN6NYmPHceSNaKYz9rooCcABDz3JeArydNXV7KydkLh1thildpW8aL+pkqfNs7VV5PJErbieR2ZNIHV+OyVHSOBWcuCiQ9Ynn2DClZGA+vcSecF 12 | db.password: AgCTPvTt6aSdnoDr7QFQdf2QecUGOVVPWWiP/ZdInKKmxaFCP3Zk+49AwYvbs1Qa9zApVBQxp/u52dUSdzEr/HSrVkf57ujm59FM0/HrGGS6UnsxNGeJaRfJX3yz5tDGHngRyI+u2AsghX6+/d+0k1D/WdwBk6jXK5X15Xq2tWdYP8z+YCmrLkOuQLIcbez0PzuaAnhdTT3uwE9SMq02+bY1kmaEljELtwz4isz1vgUks2YwicsocaTPstNSPxLPdrJWqrMIlCjtYYPNWJrpVMYLWhEoqSiqABTgr63ev68U7sGlWLNNNMR+TwU9ggb3BiuieHgtfq8NR/+1/muEoh/dVMURkO6u5iSBZLmW97dJcCi+9Siy3EuuDGvpOv0R8NH2RfZPEiZhuRCEP9Y1jBA5WiTqPLIB6W7M9otbt+1ZEr9F2fxhPTuc8CesAYGRyQRnlYSxhZjCejvNvOlYAKM1KgINl5kybSE6EWoK2slZgfEhzHwrGSuXlaOJTsCJKHzc9Evt2QE+lS4KipjDUap3UrmELyWy2Khl83CoAdsZxXsz+ndD/29cXmqnACrpdDcl4YZQe9VYXdWkao9+2TFcF98ItK7r+Th0bv+4y+k1n1+tzE00YCiUR1fXyt0Njjx9GO1RT0xY3Xw1D+MLcAgKlWIXsqjna2E74rrO2y0+8+2dwvplwTJBLAJmkuFria6nr5NYa6XQ 13 | db.port: AgDHBGl66y9+gh+3Vste3mU2HeYdqbE291PDY5z5MUIR2qCxIerRCURwHaMThXCC23MVO9uppAydDLScGEQuaXb4Ih5mcFfunl3FJTeIOFdVqtmgP2WDUI32gMFAZTyUTKTmH7mvNcc7l7FMRIQljOq4TaMUVOswjOT5oFPxD278zp2dutEy8C5i9csYkQgGBo32WWqVPvPDl4BXUvoyKMwmQqBZ8seCd0BoTlHETilTyd/y0D6bsaicwAqPTF5O5Z5zqlVczpWGjLAyWqSw/d4YcrMS/t4+9UeYgpYtGM7DNHn1jFHlr3KRyuZGMU3UftU0TYP2I41ZcL3uX4zY/iz5/Yl7ciYe1HI9uCR7b4FA0LjbLHdofLbnXDN9eNWF++Lon4GJm/xnMDwAAeVUFFSmW8gsqixI7wK05BDAWqlkcgdlQnXcXdN2xYK9Hp43mtiuMgQgst3kUWCKDmXfPz2ay0/iI5POmahtZAqxPX8cze0y6QNBTKXqPdgvgtamd/nzbP3XepQ7ZeuJ6M+4tDByht0oUGB9JgKby3iNhma5WzcrllBtZndFHE3ZjJpStlqBz+sA9eOzzRziFpqwZ6oNCLjXSkotmkPXj05yBYogx9Kzcp5Frrly44TbqZeJU7qwO+8zGVtTgB+RGUySnuIZ9via76TaIDPolX5Ocx7sXoNjUjjq1P+eAXv9EDlAr/JJWIqb 14 | db.user: AgAIX7cO7OU5Ai+yK0+Ekb2ykZUFwTT2GdQIvA6Odj1aZMVOQA0HaAFPpTHx+kof18mXBXUDkT9I+Zq3ojWT0gQH3Fw6uwAX4oUA0FEB1sYcvbgRAg5MGw5FtdJt3hX+omeonZT2GNwzjI47vrmMYsq6XjQevE5NlLdxiLTEFrtymQNj9sQaSFJLBGFvAufif2pHt/L49uX9+RWDJfFZIyxnV1Qvqekt4URdvEBCSJgwuETCtnzW9vYyytVzGdeMzUdjcgUmuXTTOYM2jWXH7Tgw7KHbZjTe2v/1rGiQ0NpTin7X8osVqqLkYolIA8HKvd7SA1ygmScunEIvG5zul8nEzlE6MyJNLpzr5Fpj4IWbgA72Hk2HRWA/vIkwcpusXToYOOdIPNgh342K9c4NVkeyEHdEGHgIxNrRiwnxo78KCclava7vobL2YpNGI2qqGr0RrqG4KTmCekpx+FyEBaDfrLwtrqxi3aAFLU0zMvVAFgagnipnyJETtLeyQ7s6k8/+BuzGh/l5zeJwSGIoj9j9DUSQGesEmxA9HHyFoiGSoTDhs/v8rjLEQF9EPYEYjW7upJLlDd152t2Mz46YVPGFNl6wgfhHeJC3Ctw7krXvRHX8CFNYze3XG+7JbW2Ry5zjMbZmJ/spj8Z7u5m6ebvIhEUlt8fVT1LDzbC3NZxYqUE4F653n8dA8/oO4BC1pn+W9cgAew== 15 | template: 16 | metadata: 17 | creationTimestamp: null 18 | name: postgresql-credentials 19 | namespace: trusted-profile-analyzer 20 | type: Opaque 21 | -------------------------------------------------------------------------------- /clusters/management-cluster/trusted-profile-analyzer/templates/example-db.yaml: -------------------------------------------------------------------------------- 1 | {{ if eq (.Values.db.use_example_db_sts | toString) "true" }} 2 | --- 3 | apiVersion: apps/v1 4 | kind: StatefulSet 5 | metadata: 6 | name: postgresql-db 7 | namespace: {{ .Values.namespace.name | default "trusted-profile-analyzer" }} 8 | spec: 9 | serviceName: postgresql-db-service 10 | selector: 11 | matchLabels: 12 | app: postgresql-db 13 | replicas: 1 14 | template: 15 | metadata: 16 | labels: 17 | app: postgresql-db 18 | spec: 19 | containers: 20 | - name: postgresql-db 21 | image: postgres:17 22 | volumeMounts: 23 | - mountPath: /data 24 | name: psql 25 | env: 26 | - name: POSTGRES_USER 27 | value: {{ .Values.db.example_db_user | default "testuser" }} 28 | - name: POSTGRES_PASSWORD 29 | value: {{ .Values.db.example_db_pass | default "thisisonly4testingNOT4prod" }} 30 | - name: PGDATA 31 | value: /data/pgdata 32 | - name: POSTGRES_DB 33 | value: rhtpadb 34 | volumeClaimTemplates: 35 | - metadata: 36 | name: psql 37 | spec: 38 | accessModes: [ "ReadWriteOnce" ] 39 | storageClassName: "gp3-csi" 40 | resources: 41 | requests: 42 | storage: 10Gi 43 | --- 44 | apiVersion: v1 45 | kind: Service 46 | metadata: 47 | name: postgres-db 48 | namespace: {{ .Values.namespace.name | default "trusted-profile-analyzer" }} 49 | spec: 50 | selector: 51 | app: postgresql-db 52 | type: LoadBalancer 53 | ports: 54 | - port: 5432 55 | targetPort: 5432 56 | {{- end }} -------------------------------------------------------------------------------- /clusters/management-cluster/trusted-profile-analyzer/templates/namespace.yaml: -------------------------------------------------------------------------------- 1 | {{- if eq (.Values.enabled | toString) "true" }} 2 | {{- if eq (.Values.namespace.create | toString) "true" }} 3 | --- 4 | kind: Namespace 5 | apiVersion: v1 6 | metadata: 7 | name: {{ .Values.namespace.name | default "trusted-profile-analyzer" }} 8 | annotations: 9 | {{- include "tpl.namespaceDescr" .Values.namespace.descr | nindent 4 }} 10 | {{- include "tpl.namespaceDisplay" .Values.namespace.display | nindent 4 }} 11 | {{- include "tpl.additionalAnnotations" .Values.namespace.additionalAnnotations | indent 4 }} 12 | labels: 13 | openshift.io/cluster-monitoring: "true" 14 | {{- include "tpl.labels" $ | nindent 4 }} 15 | {{- include "tpl.additionalLabels" .Values.namespace.additionalLabels | indent 4 }} 16 | spec: {} 17 | {{- end }} 18 | {{- end }} 19 | -------------------------------------------------------------------------------- /clusters/management-cluster/trusted-profile-analyzer/values-importers.yaml: -------------------------------------------------------------------------------- 1 | redhat-trusted-profile-analyzer: 2 | $schema: "charts/trustify/values.schema.json" 3 | 4 | appDomain: asdf 5 | tracing: {} 6 | 7 | modules: 8 | createImporters: 9 | enabled: true 10 | importers: 11 | redhat-sboms: 12 | sbom: 13 | description: All Red Hat SBOMs 14 | period: 1d 15 | source: https://access.redhat.com/security/data/sbom/beta/ 16 | keys: 17 | - https://access.redhat.com/security/data/97f5eac4.txt#77E79ABE93673533ED09EBE2DCE3823597F5EAC4 18 | disabled: true 19 | fetchRetries: 50 20 | redhat-csaf: 21 | csaf: 22 | description: All Red Hat CSAF data 23 | period: 1d 24 | source: redhat.com 25 | disabled: true 26 | fetchRetries: 50 27 | cve: 28 | cve: 29 | description: CVE list v5 30 | period: 1d 31 | source: https://github.com/CVEProject/cvelistV5 32 | disabled: false 33 | osv-github: 34 | osv: 35 | description: GitHub Advisory Database 36 | period: 1d 37 | source: https://github.com/github/advisory-database 38 | path: advisories 39 | disabled: false -------------------------------------------------------------------------------- /clusters/management-cluster/trusted-profile-analyzer/values-rhtpa.yaml: -------------------------------------------------------------------------------- 1 | redhat-trusted-profile-analyzer: 2 | appDomain: apps.ocp.aws.ispworld.at 3 | 4 | ingress: 5 | className: openshift-default 6 | additionalAnnotations: 7 | "haproxy.router.openshift.io/timeout": "5m" 8 | 9 | storage: 10 | type: s3 11 | region: REGION 12 | bucket: trusted-profile-analyzer-b58f7115-7076-4595-9194-e8b0c213be38 13 | endpoint: s3.openshift-storage.svc 14 | accessKey: 15 | valueFrom: 16 | secretKeyRef: 17 | name: trusted-profile-analyzer 18 | key: AWS_ACCESS_KEY_ID 19 | secretKey: 20 | valueFrom: 21 | secretKeyRef: 22 | name: trusted-profile-analyzer 23 | key: AWS_SECRET_ACCESS_KEY 24 | 25 | database: 26 | sslMode: require 27 | host: 28 | valueFrom: 29 | secretKeyRef: 30 | name: postgresql-credentials 31 | key: db.host 32 | port: 33 | valueFrom: 34 | secretKeyRef: 35 | name: postgresql-credentials 36 | key: db.port 37 | name: 38 | valueFrom: 39 | secretKeyRef: 40 | name: postgresql-credentials 41 | key: db.name 42 | username: 43 | valueFrom: 44 | secretKeyRef: 45 | name: postgresql-credentials 46 | key: db.user 47 | password: 48 | valueFrom: 49 | secretKeyRef: 50 | name: postgresql-credentials 51 | key: db.password 52 | 53 | createDatabase: 54 | name: 55 | valueFrom: 56 | secretKeyRef: 57 | name: postgresql-admin-credentials 58 | key: db.name 59 | username: 60 | valueFrom: 61 | secretKeyRef: 62 | name: postgresql-admin-credentials 63 | key: db.user 64 | password: 65 | valueFrom: 66 | secretKeyRef: 67 | name: postgresql-admin-credentials 68 | key: db.password 69 | 70 | migrateDatabase: 71 | username: 72 | valueFrom: 73 | secretKeyRef: 74 | name: postgresql-admin-credentials 75 | key: db.user 76 | password: 77 | valueFrom: 78 | secretKeyRef: 79 | name: postgresql-admin-credentials 80 | key: db.password 81 | 82 | modules: 83 | createDatabase: 84 | enabled: true 85 | migrateDatabase: 86 | enabled: true 87 | 88 | oidc: 89 | issuerUrl: https://sso.apps.ocp.aws.ispworld.at/realms/openshift 90 | clients: 91 | frontend: 92 | clientId: openshift 93 | cli: 94 | clientId: openshift 95 | clientSecret: 96 | valueFrom: 97 | secretKeyRef: 98 | name: oidc-cli 99 | key: client-secret 100 | -------------------------------------------------------------------------------- /clusters/management-cluster/update-clusterversion/README.md: -------------------------------------------------------------------------------- 1 | # update-clusterversion 2 | 3 | TODO -------------------------------------------------------------------------------- /clusters/management-cluster/update-clusterversion/config.json: -------------------------------------------------------------------------------- 1 | { 2 | "namespace": "default", 3 | "environment": "in-cluster" 4 | } -------------------------------------------------------------------------------- /clusters/management-cluster/update-clusterversion/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | helmCharts: 4 | - name: update-clusterversion 5 | repo: https://charts.stderr.at 6 | valuesFile: values.yaml 7 | -------------------------------------------------------------------------------- /clusters/management-cluster/update-clusterversion/values.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | channel: stable-4.15 4 | 5 | # -- The desired version that the cluster shall be updated to. The available versions 6 | # can be found with oc get clusterversion -o yaml 7 | # Verify the availableUpdates to find the required version. 8 | desiredVersion: 4.14.28 9 | 10 | # -- OPTIONAL: The desired image SHA that the cluster shall be updated to. The available SHA 11 | # can be found with oc get clusterversion -o yaml 12 | # Verify the availableUpdates to find the required SHA. 13 | # This option is optional and typically only used for restricted clusters. 14 | image: '' -------------------------------------------------------------------------------- /clusters/management-cluster/wave-acm-policy-management/config.json: -------------------------------------------------------------------------------- 1 | { 2 | "namespace": "default", 3 | "environment": "in-cluster" 4 | } -------------------------------------------------------------------------------- /clusters/management-cluster/wave-acm-policy-management/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | helmCharts: 4 | - name: helper-argocd 5 | repo: https://charts.stderr.at 6 | valuesFile: values.yaml 7 | -------------------------------------------------------------------------------- /clusters/management-cluster/wave-acm-policy-management/values.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ############################################################################# 3 | # WAVE CONTROLLER 4 | # 5 | # The purpose of this wave controller is to create an App-of-Apps 6 | # that is able to rollout specified Argo CD Application in (sync)waves. 7 | # This is currently not possible with ApplicationSet (end 2023) 8 | # 9 | # Applications that are dependent to each other, or form some kind of 10 | # group should be defined this was. 11 | # 12 | # In this example Secuity Tools are deployed in the following order: 13 | # 1. Configure Allowed Registries 14 | # 2. Deploy and configure Compliance Operator 15 | # 3. Deploy and configure Advanced Cluster Security 16 | # 17 | # The syntax to define the Applications, that shall be managed by 18 | # the App-of-Apps is defined in the helm chart "helper-argocd" 19 | # 20 | # NOTE: It makes sense that the managed Applications are automatically 21 | # synced. 22 | ############################################################################# 23 | 24 | 25 | # Anchors ... because I am lazy. 26 | mgmt-cluster: &mgmtcluster https://kubernetes.default.svc 27 | repourl: &repourl 'https://github.com/tjungbauer/openshift-clusterconfig-gitops' 28 | repobranch: &branch main 29 | 30 | # Generic default values, they might be overwritten in the Application specification 31 | general: 32 | source: 33 | repourl: *repourl 34 | branch: *branch 35 | server: *mgmtcluster 36 | 37 | # Argo CD Applications 38 | applications: 39 | 40 | # Name of the Application in Argo CD --> this key will be used as name 41 | wave-1-acm-preparation: 42 | enabled: true 43 | syncwave: '1' 44 | description: "Wave 1 to prepare ACM by create a ManagedClusterSet, Namespace etc." 45 | 46 | # SyncPolicies 47 | syncPolicy: 48 | # Enable Automatic Sync 49 | autosync_enabled: true 50 | 51 | # Enable Selfhealing 52 | # Default: false 53 | syncpolicy_selfheal: true 54 | 55 | # Enable automatic pruning 56 | # Default: false 57 | # syncpolicy_prune: false 58 | 59 | # Sync Options for this Application 60 | syncOptions: 61 | - name: ApplyOutOfSyncOnly 62 | value: true 63 | 64 | # Source ... here only the path is defined, the rest is taken from the 65 | # generic values defined at the top. 66 | source: 67 | path: clusters/management-cluster/waves/acm-policies/acm-preparation 68 | 69 | # WAVE 10: Logging Operator 70 | wave-10-policy-clusterhealth: 71 | enabled: true 72 | syncwave: '10' 73 | description: "Wave 10 Add policies to monitor the health of the pods inside a cluster" 74 | syncPolicy: 75 | autosync_enabled: true 76 | syncpolicy_selfheal: true 77 | syncOptions: 78 | - name: ApplyOutOfSyncOnly 79 | value: true 80 | source: 81 | path: clusters/management-cluster/waves/acm-policies/clusterhealth 82 | -------------------------------------------------------------------------------- /clusters/management-cluster/waves/acm-policies/acm-preparation/managedClusterSet.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cluster.open-cluster-management.io/v1beta2 2 | kind: ManagedClusterSet 3 | metadata: 4 | annotations: 5 | argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true 6 | name: hub 7 | spec: 8 | clusterSelector: 9 | selectorType: ExclusiveClusterSetLabel -------------------------------------------------------------------------------- /clusters/management-cluster/waves/acm-policies/acm-preparation/managedClusterSetBinding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cluster.open-cluster-management.io/v1beta2 2 | kind: ManagedClusterSetBinding 3 | metadata: 4 | annotations: 5 | argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true 6 | name: hub 7 | namespace: policies-hub 8 | spec: 9 | clusterSet: hub -------------------------------------------------------------------------------- /clusters/management-cluster/waves/acm-policies/acm-preparation/policyNamespace.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: policies-hub 5 | spec: {} -------------------------------------------------------------------------------- /clusters/management-cluster/waves/acm-policies/clusterhealth/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | helmCharts: 4 | - name: helm-policy-generator 5 | repo: https://charts.stderr.at 6 | valuesFile: values.yaml 7 | -------------------------------------------------------------------------------- /clusters/management-cluster/waves/acm-policies/clusterhealth/values.yaml: -------------------------------------------------------------------------------- 1 | namespace: &namespace policies-hub 2 | 3 | policyDefaults: 4 | categories: 5 | - CM Configuration Management 6 | controls: 7 | - CM-3 Configuration Change Control 8 | - Health Checks 9 | standards: 10 | - NIST SP 800-53 Rev 5.1.1 11 | - Baseline 2024v1 12 | description: "Cluster Health Checks" 13 | globalRemediationAction: inform 14 | 15 | policySet: 16 | enabled: true 17 | sets: 18 | - name: generic-cluster-health-checks 19 | description: "Performing generic health checks" 20 | namespace: *namespace 21 | placement: 22 | clusterSets: 23 | - hub 24 | lableSelectors: 25 | - key: name 26 | operator: In 27 | values: 28 | - local-cluster 29 | 30 | policies: 31 | - policyname: pods-healthcheck 32 | namespace: *namespace 33 | disabled: 'false' 34 | policy_templates: 35 | - name: pods-healthcheck 36 | name_use_template_filename: "true" 37 | path: "examples/cluster-health-checks/pods-health-check" 38 | complianceType: mustnothave 39 | namespaceSelector: 40 | include: 41 | - "*" 42 | exclude: 43 | - default 44 | 45 | - policyname: terminating-namespace 46 | namespace: *namespace 47 | disabled: 'false' 48 | policy_templates: 49 | - name: terminating-namespace-healthcheck 50 | path: "examples/cluster-health-checks/terminating-namespaces" 51 | complianceType: mustnothave 52 | namespaceSelector: 53 | include: 54 | - "*" 55 | exclude: 56 | - default 57 | 58 | - policyname: cluster-operators-healthcheck 59 | namespace: *namespace 60 | disabled: 'false' 61 | policy_templates: 62 | - name: cluster-operators-healthcheck 63 | path: "examples/cluster-health-checks/cluster-operators-healthcheck" 64 | raw: "true" 65 | 66 | - policyname: openshift-certificate-expiration-check 67 | namespace: *namespace 68 | disabled: 'false' 69 | policy_templates: 70 | - name: openshift-ingress-controller 71 | kind: CertificatePolicy 72 | minimumDuration: 24h 73 | minimumCADuration: 400h 74 | namespaceSelector: 75 | include: 76 | - openshift-ingress 77 | - name: penshift-csrs 78 | kind: CertificatePolicy 79 | minimumDuration: 24h 80 | minimumCADuration: 400h 81 | namespaceSelector: 82 | include: 83 | - openshift-kube-apiserver-operator 84 | - openshift-kube-controller-manager-operator 85 | - name: openshift-internal-certs 86 | kind: CertificatePolicy 87 | minimumDuration: 24h 88 | namespaceSelector: 89 | include: 90 | - openshift-config-managed 91 | - openshift-kube-apiserver 92 | - openshift-kube-scheduler 93 | - openshift-kube-controller-manager 94 | 95 | - policyname: openshift-data-foundation-healthcheck 96 | namespace: *namespace 97 | disabled: 'false' 98 | policy_templates: 99 | - name: odf-healthcheck 100 | name_use_template_filename: "true" 101 | path: "examples/cluster-health-checks/openshift-data-foundation-healthcheck" 102 | complianceType: musthave 103 | -------------------------------------------------------------------------------- /ct-test.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | for charts in `find . -name 'Chart.yaml' -type f | xargs -I{} dirname {}`; do 3 | printf "\n\n##### CHECKING $charts #####\n"; 4 | ct lint --charts $charts; 5 | done -------------------------------------------------------------------------------- /delete_GitOps.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | #set -euf -o pipefail 3 | oc delete Application.argoproj.io -n openshift-gitops --all 4 | oc delete Applicationset.argoproj.io -n openshift-gitops --all 5 | oc delete Application.argoproj.io -n openshift-gitops --all 6 | sleep 5 7 | oc delete Appproject -A --all 8 | oc delete subscription openshift-gitops-operator -n openshift-gitops-operator 9 | oc delete operatorgroup openshift-gitops-operator -n openshift-gitops-operator 10 | for i in `oc get crd | grep argoproj.io | awk -F" " '{print $1}'`; do oc delete crd $i; done 11 | 12 | oc delete project openshift-gitops 13 | oc delete project openshift-gitops-operator 14 | -------------------------------------------------------------------------------- /helm-lint-test.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | for charts in $(find . -name 'Chart.yaml'); do 4 | helm_dir=$(dirname "${charts}") 5 | echo "Checking $helm_dir" 6 | echo "Trying to find in-cluster-values.yaml files" 7 | add_val_files=$(find $helm_dir -type f -name in-cluster-values.yaml) 8 | if [ -z "$add_val_files" ]; then 9 | echo "No additional files found" 10 | values="" 11 | else 12 | echo "Additional file found $add_val_files" 13 | values="-f $add_val_files" 14 | fi 15 | 16 | helm dep up "${helm_dir}" 17 | helm lint --strict $values "${helm_dir}" 18 | echo "Done" 19 | done -------------------------------------------------------------------------------- /renovate.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://docs.renovatebot.com/renovate-schema.json", 3 | "extends": [ 4 | "config:best-practices", 5 | "schedule:earlyMondays" 6 | ], 7 | "bumpVersion": "patch", 8 | "prHourlyLimit": 4 9 | } 10 | -------------------------------------------------------------------------------- /scripts/etcd-encryption/check_encryption_status.sh: -------------------------------------------------------------------------------- 1 | oc get openshiftapiserver -o=jsonpath='{range .items[0].status.conditions[?(@.type=="Encrypted")]}{.reason}{"\n"}{.message}{"\n"}' 2 | 3 | echo "" 4 | 5 | oc get kubeapiserver -o=jsonpath='{range .items[0].status.conditions[?(@.type=="Encrypted")]}{.reason}{"\n"}{.message}{"\n"}' 6 | -------------------------------------------------------------------------------- /scripts/example_bindpassword/README.md: -------------------------------------------------------------------------------- 1 | # Example LDAP BindPassword for DMEO ONLY. 2 | -------------------------------------------------------------------------------- /scripts/example_bindpassword/create_sealed_secret.sh: -------------------------------------------------------------------------------- 1 | echo -n 'LDAPbindPassword-HERE' | oc create secret generic ldap-secret --dry-run=client --from-file=bindPassword=/dev/stdin -o yaml -n openshift-config \ 2 | | kubeseal --controller-namespace=sealed-secrets --controller-name=sealed-secrets --format yaml > ../../clusters/all/clusterconfig/templates/sealed-ldap-bindpassword-secret.yaml 3 | -------------------------------------------------------------------------------- /scripts/example_htpasswd/README.md: -------------------------------------------------------------------------------- 1 | # Example htpasswd for DMEO ONLY. 2 | 3 | Users: admin, user[1..3] 4 | 5 | Create a htpasswd like this: 6 | 7 | htpasswd -B -b users.htpasswd user3 yoursuperpassword 8 | -------------------------------------------------------------------------------- /scripts/example_htpasswd/create_sealed_secret-mgmt-cluster.sh: -------------------------------------------------------------------------------- 1 | cat users.htpasswd | oc create secret generic htpasswd-secret --dry-run=client --from-file=htpasswd=/dev/stdin -o yaml -n openshift-config \ 2 | | kubeseal --controller-namespace=sealed-secrets --controller-name=sealed-secrets --format yaml > ../../clusters/management-cluster/generic-clusterconfig/templates/htpasswd-sealed-secret.yaml 3 | 4 | # with custom cert 5 | #cat users.htpasswd | oc create secret generic htpasswd-secret --dry-run=client --from-file=htpasswd=/dev/stdin -o yaml -n openshift-config \ 6 | #| kubeseal --cert=//.bitnami/custom-tls.crt --format yaml > ../../clusters/management-cluster/generic-clusterconfig/templates/htpasswd-sealed-secret.yaml 7 | -------------------------------------------------------------------------------- /scripts/loginpage-secrets/create_sealed_secret.sh: -------------------------------------------------------------------------------- 1 | cat providers.html | oc create secret generic matrix-provider-template --dry-run=client --from-file=providers.html=/dev/stdin -o yaml -n openshift-config \ 2 | | kubeseal --controller-namespace=sealed-secrets --controller-name=sealed-secrets --format yaml > ../../clusters/all/clusterbranding/templates/idp-provider-page-sealed-secret.yaml 3 | 4 | cat login.html | oc create secret generic matrix-login-template --dry-run=client --from-file=login.html=/dev/stdin -o yaml -n openshift-config \ 5 | | kubeseal --controller-namespace=sealed-secrets --controller-name=sealed-secrets --format yaml > ../../clusters/all/clusterbranding/templates/login-page-sealed-secret.yaml 6 | -------------------------------------------------------------------------------- /scripts/sealed_secrets/create-custom-certificate.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | echo "Creating custom certificate for sealed secrets" 3 | 4 | export PRIVATEKEY="custom-tls.key" 5 | export PUBLICKEY="custom-tls.crt" 6 | export NAMESPACE="sealed-secrets" 7 | export SECRETNAME="customsecret" 8 | 9 | openssl req -x509 -days 3650 -nodes -newkey rsa:4096 -keyout "$PRIVATEKEY" -out "$PUBLICKEY" -subj "/CN=sealed-secret/O=sealed-secret" 10 | 11 | oc -n "$NAMESPACE" create secret tls "$SECRETNAME" --cert="$PUBLICKEY" --key="$PRIVATEKEY" 12 | oc -n "$NAMESPACE" label secret "$SECRETNAME" sealedsecrets.bitnami.com/sealed-secrets-key=active 13 | 14 | oc delete pod -l app.kubernetes.io/name=sealed-secrets -n "$NAMESPACE" 15 | -------------------------------------------------------------------------------- /scripts/sealed_secrets/get-sealed-secret-key.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | echo "Getting public key from Sealed Secrets secret and copying it to ~/.bitnami" 3 | echo "Create dir for Sealed Secrets public key. (~/.bitnami)." 4 | mkdir -m 700 -p ~/.bitnami 5 | echo "Backup secret itself" 6 | oc get $(oc get secret -n sealed-secrets -l sealedsecrets.bitnami.com/sealed-secrets-key=active -o name) -n sealed-secrets -o yaml > ~/.bitnami/sealed-secrets-secret.yaml 7 | echo "Get the public key from the Sealed Secrets secret." 8 | keys=`oc get secret -n sealed-secrets -l sealedsecrets.bitnami.com/sealed-secrets-key=active -o name` 9 | for i in $keys; do 10 | echo "Found $i" 11 | name=`echo "$i" | cut -d "/" -f 2` 12 | oc get $i -n sealed-secrets -o jsonpath='{.data.tls\.crt}' | base64 --decode > ~/.bitnami/$name-publickey.pem 13 | done 14 | -------------------------------------------------------------------------------- /scripts/sealed_secrets/replace-sealed-secrets-secret.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | echo "Deleting existing secret." 3 | oc delete secret -n sealed-secrets -l sealedsecrets.bitnami.com/sealed-secrets-key 4 | echo "Creating secret from local drive." 5 | oc create -f ~/.bitnami/sealed-secrets-secret.yaml -n sealed-secrets 6 | echo "Restarting Sealed Secrets controller." 7 | oc delete pod -l app.kubernetes.io/name=sealed-secrets -n sealed-secrets 8 | -------------------------------------------------------------------------------- /scripts/sonarqube/create_sealed_secret.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | echo -n 'PASSWORD-HERE' | oc create secret generic credentials --dry-run=client --from-file=adminpass=/dev/stdin -o yaml -n sonarqube \ 3 | | kubeseal --controller-namespace=sealed-secrets --controller-name=sealed-secrets --format yaml > ../../clusters/management-cluster/sonarqube/templates/sealed-sonarqube-password.yaml 4 | -------------------------------------------------------------------------------- /tenants/tenant2/in-cluster/values.yaml: -------------------------------------------------------------------------------- 1 | # see full example at ../my-main-app 2 | 3 | # Environment to which these values are valid, this should be the cluster name as defined in the values-global.yaml 4 | # In best case the same is equal to the folder we are currntly in, but this is optional. 5 | environment: &environment in-cluster 6 | 7 | # Parameters handed over to Sub-Chart helper-proj-onboarding 8 | helper-proj-onboarding: 9 | 10 | environment: *environment 11 | 12 | # List of namespaces this tenant shall manage. 13 | # A tenant or project may consist of multiple namespace 14 | namespaces: 15 | 16 | # Name of the first Namespace 17 | - name: &name tenant2-app-1 18 | 19 | # Is this Namespace enabled or not 20 | enabled: true 21 | 22 | # Create a local Group with Admin users and the required rolebinding 23 | # If other systems, like LDAP Group sync is used, you will probaably not need this and can either disable it or remove the whole block. 24 | local_admin_group: 25 | enabled: true 26 | users: 27 | - mona 28 | 29 | # Name of the first Namespace 30 | - name: &name tenant2-app-2 31 | 32 | # Is this Namespace enabled or not 33 | enabled: true 34 | 35 | # Create a local Group with Admin users and the required rolebinding 36 | # If other systems, like LDAP Group sync is used, you will probaably not need this and can either disable it or remove the whole block. 37 | local_admin_group: 38 | enabled: true 39 | users: 40 | - mona 41 | 42 | -------------------------------------------------------------------------------- /tenants/tenant3/in-cluster/values.yaml: -------------------------------------------------------------------------------- 1 | # see full example at ../my-main-app 2 | 3 | # Environment to which these values are valid, this should be the cluster name as defined in the values-global.yaml 4 | # In best case the same is equal to the folder we are currntly in, but this is optional. 5 | environment: &environment in-cluster 6 | 7 | # Parameters handed over to Sub-Chart helper-proj-onboarding 8 | helper-proj-onboarding: 9 | 10 | environment: *environment 11 | 12 | # List of namespaces this tenant shall manage. 13 | # A tenant or project may consist of multiple namespace 14 | namespaces: 15 | 16 | # Name of the first Namespace 17 | - name: &name tenant3-app-1 18 | 19 | # Is this Namespace enabled or not 20 | enabled: true 21 | 22 | project_size: "S" 23 | 24 | # Override specific quota settings individually 25 | resourceQuotas: 26 | limits: 27 | cpu: 10 28 | 29 | limitRanges: 30 | # Enable Quotas or not. You can either disable it or remove the whole block 31 | enabled: true 32 | 33 | # Create a local Group with Admin users and the required rolebinding 34 | # If other systems, like LDAP Group sync is used, you will probaably not need this and can either disable it or remove the whole block. 35 | local_admin_group: 36 | enabled: true 37 | users: 38 | - mona 39 | -------------------------------------------------------------------------------- /tenants/values-global.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | global: 4 | # Namespace of application scoped GitOps instance, that is responsible to deploy workload onto the clusters 5 | application_gitops_namespace: gitops-application 6 | 7 | # cluster environments. A list of clusters that are known in Argo CD 8 | # name and url must be equal to what is defined in Argo CD 9 | envs: 10 | - name: in-cluster 11 | url: https://kubernetes.default.svc 12 | # - name: production 13 | # url: https://production.cluster 14 | 15 | # Repositories projects are allowed to use. These are configured on a global level and used if not specified in a _T-Shirt_ project. 16 | # Can be overwritten for projects in their specific values-file 17 | allowed_source_repos: 18 | - "https://myrepo" 19 | - "https://the-second-repo" 20 | 21 | tshirt_sizes: 22 | - name: XL 23 | quota: 24 | pods: 100 25 | limits: 26 | cpu: 4 27 | memory: 4Gi 28 | requests: 29 | cpu: 1 30 | memory: 2Gi 31 | - name: L 32 | quota: 33 | limits: 34 | cpu: 2 35 | memory: 2Gi 36 | requests: 37 | cpu: 1 38 | memory: 1Gi 39 | - name: S 40 | quota: 41 | limits: 42 | cpu: 1 43 | memory: 1Gi 44 | requests: 45 | cpu: 500m 46 | memory: 1Gi 47 | limitRanges: 48 | container: 49 | default: 50 | cpu: 1 51 | memory: 4Gi 52 | defaultRequest: 53 | cpu: 1 54 | memory: 2Gi 55 | -------------------------------------------------------------------------------- /values-openshift-gitops.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # Configure openshift-gitops operator. This will be enabled via init_GitOps.sh script 3 | gitopsinstances: 4 | openshift_gitops: 5 | enabled: true 6 | namespace: openshift-gitops 7 | clusterAdmin: disabled 8 | global_project: 9 | enabled: false 10 | syncwave: 10 11 | server: 12 | route: 13 | enabled: true 14 | generic_config: 15 | disableAdmin: true 16 | resourceTrackingMethod: annotation 17 | kustomizeBuildOptions: "--enable-helm" 18 | appset: {} 19 | repo: {} 20 | controller: {} 21 | sso: 22 | enabled: true 23 | dex: 24 | openShiftOAuth: true 25 | ha: {} 26 | redis: {} 27 | rbac: 28 | defaultRole: 'role:none' 29 | policy: |- 30 | # Access Control 31 | g, system:cluster-admins, role:admin 32 | g, cluster-admin, role:admin 33 | p, role:none, applications, get, */*, deny 34 | p, role:none, certificates, get, *, deny 35 | p, role:none, clusters, get, *, deny 36 | p, role:none, repositories, get, *, deny 37 | p, role:none, projects, get, *, deny 38 | p, role:none, accounts, get, *, deny 39 | p, role:none, gpgkeys, get, *, deny 40 | scopes: '[groups]' 41 | resourceExclusions: |- 42 | # resources to be excluded 43 | - apiGroups: 44 | - tekton.dev 45 | clusters: 46 | - '*' 47 | kinds: 48 | - TaskRun 49 | - PipelineRun 50 | # Enable default health checks. 51 | # This will create some default health checks I usually add. 52 | # * ClusterLogging, * Application (Argo CD), * Lokistack, * Subcription, * Central (ACS), InstallPlan 53 | default_resourceHealthChecks: true 54 | 55 | # Deploy openshift-gitops operator. This will be enabled via init_GitOps.sh script 56 | helper-operator: 57 | enabled: false 58 | operators: 59 | openshift-gitops-operator: 60 | enabled: true 61 | syncwave: '0' 62 | namespace: 63 | name: openshift-gitops-operator 64 | create: true 65 | subscription: 66 | channel: latest 67 | approval: Automatic 68 | operatorName: openshift-gitops-operator 69 | source: redhat-operators 70 | sourceNamespace: openshift-marketplace 71 | operatorgroup: 72 | create: true 73 | notownnamespace: true 74 | 75 | # Deploy openshift-gitops operator. This will be enabled via init_GitOps.sh script 76 | helper-status-checker: 77 | enabled: false 78 | 79 | checks: 80 | 81 | - operatorName: openshift-gitops-operator 82 | namespace: 83 | name: openshift-gitops-operator 84 | syncwave: 3 85 | 86 | serviceAccount: 87 | name: "status-checker-gitops" 88 | --------------------------------------------------------------------------------