├── .gitignore ├── README.MD ├── config ├── ci │ ├── gitea-config.yaml │ ├── gitea-init-run.yaml │ ├── gitea.yaml │ ├── kustomization.yaml │ ├── nexus.yaml │ └── ns.yaml ├── console │ ├── dev-view.yaml │ ├── kustomization.yaml │ └── links.yaml ├── kustomization.yaml ├── mesh │ ├── README.MD │ ├── control-plane.yaml │ ├── elastic.yaml │ ├── jaeger.yaml │ ├── kiali.yaml │ ├── kustomization.yaml │ ├── mesh.yaml │ ├── ns-op-dt.yaml │ ├── ns-op-rh.yaml │ └── sample │ │ ├── bookinfo-gateway.yaml │ │ ├── bookinfo-sample.yaml │ │ ├── dest-rules.yaml │ │ ├── kustomization.yaml │ │ └── sm-members.yaml ├── monitoring │ ├── README.MD │ ├── cluster-monitoring-config.yaml │ ├── kustomization.yaml │ ├── service-monitor-example.yaml │ └── user-workload-config.yaml ├── oauth │ ├── README.MD │ ├── admin-rb.yaml │ ├── example-client-secret.env │ ├── kustomization.yaml │ └── oauth.yaml ├── operators │ ├── builds.yaml │ ├── crunchy.yaml │ ├── gitops.yaml │ ├── infinispan.yaml │ ├── kustomization.yaml │ ├── pipelines.yaml │ ├── rhdh.yaml │ ├── serverless.yaml │ └── strimzi.yaml ├── registry │ ├── config.yaml │ ├── image-registry.yaml │ └── kustomization.yaml ├── rhdh │ ├── README.MD │ ├── app-config-rhdh.yaml │ ├── backstage.yaml │ ├── dynamic-plugins.yaml │ ├── example-backend-secret.env │ ├── example-github-secret.env │ ├── kustomization.yaml │ ├── ns.yaml │ └── rbac-policy.csv ├── storage │ ├── csi-driver-hostpath-provisioner.yaml │ ├── csi-driver │ │ └── csi-kubevirt-hostpath-provisioner.yaml │ ├── csi-sc.yaml │ ├── external-provisioner-rbac.yaml │ ├── kubevirt-hostpath-security-constraints-csi.yaml │ ├── kustomization.yaml │ └── namespace.yaml └── users │ ├── admin-rb.yaml │ ├── htpasswd │ ├── htpasswd-cr.yaml │ └── kustomization.yaml └── setup.sh /.gitignore: -------------------------------------------------------------------------------- 1 | # DO NOT ADD config/oauth/client-secret.env 2 | config/oauth/client-secret.env 3 | config/rhdh/github-secret.env 4 | config/rhdh/backend-secret.env -------------------------------------------------------------------------------- /README.MD: -------------------------------------------------------------------------------- 1 | # openshift-config 2 | This is a script which has some configuration modules for a fresh and clean OpenShift installation. If you've been using the Single Node OpenShift installation, you need some persistent volumes and you need to make the internal registry able to store your images. 3 | 4 | This is what the script does right now: 5 | 6 | - It is setting up Kubevirt Hostpath Provisioner for storage 7 | - Configuring the internal registry to be able to store images 8 | - Installing some operators (namely gitops, serverless and pipelines, builds, postgresql and strimzi) for demo purposes 9 | - Setting up a 'ci' namespace with nexus and Gitea ready to use 10 | - Setting up a htpasswd identity provider for 2 users: admin and devel. admin is cluster-admin 11 | - Setting up Google as SSO OAuth2 provider 12 | - Configuring openshift console to show links and other resources for demo purposes 13 | - Installing and configuring OpenShift ServiceMesh for demo 14 | - Configure monitoring and user space monitoring 15 | - Installing and configuring Red Hat Developer Hub (based on backstage.io) 16 | 17 | ## Usage 18 | In order to use this script, you first need to be logged into OpenShift as a user with cluster-admin role. This is typically the `kubeadmin` user after a fresh installation. 19 | 20 | The following modules are available: 21 | - ci 22 | - console 23 | - mesh 24 | - rhdh 25 | - monitoring 26 | - oauth 27 | - operators 28 | - registry 29 | - storage 30 | - users 31 | 32 | 33 | The `ci` module does only need to have a user context (devel or developer). 34 | 35 | The typical workflow after installing a OpenShift SNO from this page is: 36 | - Create the OpenShift SNO 37 | - `./setup.sh storage` 38 | - `./setup.sh registry` 39 | - `./setup.sh users` 40 | - `./setup.sh console` 41 | - `./setup.sh operators` 42 | 43 | Be careful to NOT install storage if you've allready installed any other storage provider! 44 | 45 | You could also let openshift-config decide what to install in your freshly installed OpenShift cluster by specifying an environment: 46 | - sno: installs everything necessary (console, operators, storage, registry, users) 47 | - crc: installs only necessary (console, operators, users) 48 | - aws: installs only necessary (console, operators, users) 49 | - all: like sno 50 | 51 | 52 | ### storage 53 | ```bash 54 | $> ./setup.sh storage 55 | ``` 56 | 57 | This installs the CSI kubevirt hostpath provisioner into the target OpenShift installation. It also creates a StorageClass which will then be used for all PVs. 58 | 59 | Please DO NOT install this if your OpenShift cluster allready contains a storage provider! 60 | 61 | ### registry 62 | ```bash 63 | $> ./setup.sh registry 64 | ``` 65 | 66 | This switches the internal registry to "Managed" and binds it to a PV called pv0001. For this module, you must be logged in as kube:admin in your cluster. 67 | 68 | ### operators 69 | ```bash 70 | $> ./setup.sh operators 71 | ``` 72 | 73 | This installs several operators. Please make sure to be logged into the OpenShift instance as cluster-admin. And you already should have storage available. 74 | 75 | ### ci 76 | ```bash 77 | $> ./setup.sh ci 78 | ``` 79 | 80 | This installs a Nexus and Gitea into a newly created namespace called ci. It also clones 3 repositories from github.com into Gitea. After that it prints out the access to both instances. By default, we are using 81 | 82 | - Nexus: admin/admin123 83 | - Gitea: gitea/openshift 84 | 85 | ### users 86 | ```bash 87 | $> ./setup.sh users 88 | ``` 89 | This adds a HTPasswd identity provider to the cluster with 2 users in it: 90 | - admin/admin123 -> cluster-admin 91 | - devel/devel -> normal user 92 | 93 | You need to be logged into OpenShift with cluster-admin rights. 94 | 95 | ### console 96 | ```bash 97 | $> ./setup.sh console 98 | ``` 99 | Installs some links to the openshift console and makes sure, developer view contains additional links to resources: pod, service, pvc, route 100 | 101 | ### mesh 102 | ```bash 103 | $> ./setup.sh mesh 104 | ``` 105 | Installs Red Hat OpenShift ServiceMesh and adds the grumpycat application to the mesh. 106 | 107 | This can be uninstalled by executing 108 | ```bash 109 | $> oc delete -k config/mesh 110 | ``` 111 | 112 | If you want to add other namespaces to the mesh, please edit the file `config/mesh/sm-members.yaml`. Please also note, that - in order to let the mesh inject the sidecar - you need to add the following annotation to the `Deployment` of a - well - deployment: 113 | 114 | ```yaml 115 | spec: 116 | template: 117 | metadata: 118 | annotations: 119 | sidecar.istio.io/inject: 'true' 120 | ``` 121 | 122 | ## monitoring 123 | ```bash 124 | $> ./setup.sh monitoring 125 | ``` 126 | 127 | Conifgures the monitoring provider of OpenShift so that all the data will be stored in provided storage. It also configures user monitoring. 128 | It also configures user monitoring. Please make sure you're adding service monitoring entries for special user services. 129 | 130 | ## oauth 131 | ```bash 132 | $> ./setup.sh oauth 133 | ``` 134 | 135 | Configures an SSO provider (namely Google). Please make sure to first go to [Google Console](https://console.developers.google.com/apis/credentials) and register a new OAuth2 client. Then take the generated ClientID and Client Secret and create a new file `config/oauth/client-secret.env` based on the file 136 | `config/oauth/example-client-secret.env`. 137 | 138 | Then you're able to log into OpenShift via your SSO provider's user/pwd combination. If you've logged in once, you should also make sure that your 139 | newly created user has all required roles associated with it. In my case, I am calling the following 140 | 141 | ```bash 142 | $> oc adm policy add-cluster-role-to-user cluster-admin "wpernath@redhat.com" 143 | ``` 144 | 145 | ## rhdh 146 | ```bash 147 | $> ./setup.sh rhdh 148 | or 149 | $> oc apply -k config/rhdh 150 | ``` 151 | 152 | Installs and configures Red Hat Developer Hub in a namespace called `rhdh` using the `Red Hat Developer Hub - Operator`. It configures the following plugins to be used with RHDH: 153 | - GitHub Auth 154 | - GitHub App 155 | - GitHub SSO 156 | - Kubernetes 157 | - A sample software catalog based on https://github.com/wpernath/red-hat-developer-hub-software-templates/blob/main/templates.yaml 158 | 159 | In order to make it your configuration, please copy both, the `example-backend-secret.env` and the `example-github-secret.env`, into `config/rhdh/backend-secret.env` and `config/rhdh/github-secret.env` and fill your tokens and secrets in there. 160 | 161 | To configure other plugins, please have a look at `config/rhdh/app-config-rhdh.yaml`. 162 | -------------------------------------------------------------------------------- /config/ci/gitea-config.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: gitea-config 5 | data: 6 | app.ini: | 7 | APP_NAME = Gitea: Git with a cup of tea 8 | RUN_USER = gitea 9 | RUN_MODE = prod 10 | 11 | [security] 12 | INTERNAL_TOKEN = glXtv83JUc4NQ0RowkSlVnLlVD5lJGE4DC3uFckvJhCuJnNXEpIYLriYnCfXK8FaDELLYtRAsiiOFjlSIK2kLUl7QE8Et31O8WHD6Ld4f 13 | INSTALL_LOCK = true 14 | SECRET_KEY = g8nwStpuWF 15 | PASSWORD_COMPLEXITY = off 16 | 17 | [oauth2] 18 | ENABLE = false 19 | 20 | [database] 21 | DB_TYPE = postgres 22 | HOST = gitea-postgresql:5432 23 | NAME = gitea 24 | USER = gitea 25 | PASSWD = gitea 26 | SSL_MODE = disable 27 | 28 | [repository] 29 | ROOT = /gitea-repositories 30 | 31 | [server] 32 | ROOT_URL = http://@HOSTNAME 33 | SSH_DOMAIN = @HOSTNAME 34 | DOMAIN = @HOSTNAME 35 | HTTP_PORT = 3000 36 | SSH_PORT = 2022 37 | DISABLE_SSH = false 38 | START_SSH_SERVER = true 39 | LFS_START_SERVER = false 40 | OFFLINE_MODE = false 41 | 42 | [mailer] 43 | ENABLED = false 44 | 45 | [service] 46 | REGISTER_EMAIL_CONFIRM = false 47 | ENABLE_NOTIFY_MAIL = false 48 | DISABLE_REGISTRATION = false 49 | ENABLE_CAPTCHA = false 50 | REQUIRE_SIGNIN_VIEW = false 51 | DEFAULT_KEEP_EMAIL_PRIVATE = false 52 | DEFAULT_ALLOW_CREATE_ORGANIZATION = true 53 | DEFAULT_ENABLE_TIMETRACKING = true 54 | NO_REPLY_ADDRESS = noreply.example.org 55 | 56 | [picture] 57 | DISABLE_GRAVATAR = false 58 | ENABLE_FEDERATED_AVATAR = true 59 | 60 | [openid] 61 | ENABLE_OPENID_SIGNIN = false 62 | ENABLE_OPENID_SIGNUP = false 63 | 64 | [session] 65 | PROVIDER = file 66 | 67 | [log] 68 | MODE = file 69 | LEVEL = Info 70 | ROOT_PATH = /home/gitea/log 71 | 72 | [markup.asciidoc] 73 | ENABLED = true 74 | FILE_EXTENSIONS = .adoc,.asciidoc 75 | RENDER_COMMAND = "asciidoc --out-file=- -" 76 | IS_INPUT_FILE = false -------------------------------------------------------------------------------- /config/ci/gitea-init-run.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: tekton.dev/v1beta1 2 | kind: TaskRun 3 | metadata: 4 | generateName: init-gitea- 5 | spec: 6 | taskSpec: 7 | params: 8 | - name: GITEA_USER 9 | type: string 10 | description: Gitea admin username 11 | default: gitea 12 | - name: GITEA_PASSWORD 13 | type: string 14 | description: Gitea admin password 15 | default: openshift 16 | stepTemplate: 17 | env: 18 | - name: NAMESPACE 19 | valueFrom: 20 | fieldRef: 21 | fieldPath: metadata.namespace 22 | steps: 23 | - name: config-gitea 24 | image: quay.io/wpernath/kustomize-ubi:latest 25 | script: | 26 | #!/usr/bin/env bash 27 | echo "hello" 28 | kubectl get route gitea -o template --template="{{.spec.host}}" 29 | 30 | - name: init-gitea 31 | image: quay.io/siamaksade/python-oc 32 | script: | 33 | #!/usr/bin/env python3 34 | 35 | import os 36 | import requests 37 | 38 | gitea_user = "$(params.GITEA_USER)" 39 | gitea_pwd = "$(params.GITEA_PASSWORD)" 40 | giteaURL = "http://" + os.popen('oc get route gitea -o template --template="{{.spec.host}}"').read() 41 | 42 | # create admin user 43 | data_user = { 44 | 'user_name': gitea_user, 45 | 'password': gitea_pwd, 46 | 'retype': gitea_pwd, 47 | 'email': 'admin@gitea.com' 48 | } 49 | 50 | resp = requests.post(url = giteaURL + "/user/sign_up", data = data_user) 51 | 52 | if resp.status_code != 200: 53 | print("Error creating Gitea admin (status code: {})".format(resp.status_code)) 54 | print(resp.content) 55 | else: 56 | print("Created admin user {}:{}".format(gitea_user, gitea_pwd)) 57 | 58 | # create git repo spring-petclinic 59 | data_repo = '{"clone_addr": "https://github.com/wpernath/quarkus-grumpycat.git", "uid": 1, "repo_name": "quarkus-grumpycat"}' 60 | headers = {'Content-Type': 'application/json'} 61 | resp = requests.post(url = giteaURL + "/api/v1/repos/migrate", headers = headers, auth = (gitea_user, gitea_pwd), data = data_repo) 62 | 63 | if resp.status_code != 200 and resp.status_code != 201: 64 | print("Error creating git repo (status code: {})".format(resp.status_code)) 65 | print(resp.content) 66 | else: 67 | print("Created git repo quarkus-grumpycat") 68 | 69 | # create git repo spring-petclinic-config 70 | data_repo = '{"clone_addr": "https://github.com/wpernath/grumpycat-config.git", "uid": 1, "repo_name": "grumpycat-config"}' 71 | headers = {'Content-Type': 'application/json'} 72 | resp = requests.post(url = giteaURL + "/api/v1/repos/migrate", headers = headers, auth = (gitea_user, gitea_pwd), data = data_repo) 73 | 74 | if resp.status_code != 200 and resp.status_code != 201: 75 | print("Error creating git repo (status code: {})".format(resp.status_code)) 76 | print(resp.content) 77 | else: 78 | print("Created git repo grumpycat-config") 79 | 80 | # create git repo simple-openshift-sinatra-sti 81 | data_repo = '{"clone_addr": "https://github.com/wpernath/simple-openshift-sinatra-sti.git", "uid": 1, "repo_name": "simple-openshift-sinatra"}' 82 | headers = {'Content-Type': 'application/json'} 83 | resp = requests.post(url = giteaURL + "/api/v1/repos/migrate", headers = headers, auth = (gitea_user, gitea_pwd), data = data_repo) 84 | 85 | if resp.status_code != 200 and resp.status_code != 201: 86 | print("Error creating git repo (status code: {})".format(resp.status_code)) 87 | print(resp.content) 88 | else: 89 | print("Created git repo grumpycat-config") 90 | 91 | # create git repo 92 | data_repo = '{"clone_addr": "https://github.com/wpernath/quarkus-demo-service.git", "uid": 1, "repo_name": "quarkus-demo-service"}' 93 | headers = {'Content-Type': 'application/json'} 94 | resp = requests.post(url = giteaURL + "/api/v1/repos/migrate", headers = headers, auth = (gitea_user, gitea_pwd), data = data_repo) 95 | 96 | if resp.status_code != 200 and resp.status_code != 201: 97 | print("Error creating git repo (status code: {})".format(resp.status_code)) 98 | print(resp.content) 99 | else: 100 | print("Created git repo grumpycat-config") 101 | 102 | 103 | # create token for user 104 | data_token = '{"name": "cicd"}' 105 | headers = {'Content-Type': 'application/json'} 106 | resp = requests.post(url = giteaURL + "/api/v1/users/" + gitea_user + "/tokens", headers = headers, auth = (gitea_user, gitea_pwd), data = data_token) 107 | resp.raise_for_status() 108 | gitea_token = resp.json()["sha1"] 109 | print("## Token: " + gitea_token + " ##") 110 | 111 | os.popen('oc create secret generic gitea --from-literal=token=' + gitea_token + ' --from-literal=webhook=""') -------------------------------------------------------------------------------- /config/ci/gitea.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | labels: 6 | app: gitea 7 | name: gitea 8 | --- 9 | apiVersion: v1 10 | kind: Service 11 | metadata: 12 | annotations: 13 | description: Exposes the database server 14 | name: gitea-postgresql 15 | spec: 16 | ports: 17 | - name: postgresql 18 | port: 5432 19 | targetPort: 5432 20 | selector: 21 | name: gitea-postgresql 22 | --- 23 | apiVersion: apps/v1 24 | kind: Deployment 25 | metadata: 26 | name: gitea-postgresql 27 | annotations: 28 | image.openshift.io/triggers: >- 29 | [{"from":{"kind":"ImageStreamTag","name":"postgresql:12", "namespace":"openshift"},"fieldPath":"spec.template.spec.containers[?(@.name==\"postgresql\")].image"}] 30 | labels: 31 | app: gitea 32 | app.kubernetes.io/component: database 33 | app.kubernetes.io/instance: gitea 34 | app.kubernetes.io/name: gitea-postgresql 35 | app.kubernetes.io/part-of: gitea 36 | spec: 37 | replicas: 1 38 | selector: 39 | matchLabels: 40 | app: gitea 41 | name: gitea-postgresql 42 | template: 43 | metadata: 44 | labels: 45 | app: gitea 46 | name: gitea-postgresql 47 | spec: 48 | containers: 49 | - name: postgresql 50 | imagePullPolicy: Always 51 | image: postgresql:12 52 | env: 53 | - name: POSTGRESQL_USER 54 | value: gitea 55 | - name: POSTGRESQL_PASSWORD 56 | value: gitea 57 | - name: POSTGRESQL_DATABASE 58 | value: gitea 59 | - name: POSTGRESQL_MAX_CONNECTIONS 60 | value: "100" 61 | - name: POSTGRESQL_SHARED_BUFFERS 62 | value: 12MB 63 | - name: POSTGRESQL_ADMIN_PASSWORD 64 | value: gitea 65 | ports: 66 | - containerPort: 5432 67 | livenessProbe: 68 | initialDelaySeconds: 30 69 | tcpSocket: 70 | port: 5432 71 | timeoutSeconds: 1 72 | failureThreshold: 10 73 | periodSeconds: 20 74 | readinessProbe: 75 | exec: 76 | command: 77 | - /bin/sh 78 | - -i 79 | - -c 80 | - psql -h 127.0.0.1 -U ${POSTGRESQL_USER} -q -d ${POSTGRESQL_DATABASE} -c 'SELECT 1' 81 | resources: 82 | limits: 83 | memory: 512Mi 84 | volumeMounts: 85 | - mountPath: /var/lib/pgsql/data 86 | name: gitea-postgres-data 87 | volumes: 88 | - name: gitea-postgres-data 89 | persistentVolumeClaim: 90 | claimName: gitea-postgres-data 91 | --- 92 | apiVersion: v1 93 | kind: Service 94 | metadata: 95 | annotations: 96 | description: The Gitea server's http port 97 | service.alpha.openshift.io/dependencies: '[{"name":"gitea-postgresql","namespace":"","kind":"Service"}]' 98 | labels: 99 | app: gitea 100 | name: gitea 101 | spec: 102 | ports: 103 | - name: 3000-tcp 104 | port: 3000 105 | protocol: TCP 106 | targetPort: 3000 107 | selector: 108 | app: gitea 109 | name: gitea 110 | sessionAffinity: None 111 | type: ClusterIP 112 | status: 113 | loadBalancer: {} 114 | --- 115 | apiVersion: route.openshift.io/v1 116 | kind: Route 117 | metadata: 118 | annotations: 119 | description: Route for application's http service. 120 | labels: 121 | app: gitea 122 | name: gitea 123 | spec: 124 | to: 125 | name: gitea 126 | --- 127 | apiVersion: apps/v1 128 | kind: Deployment 129 | metadata: 130 | name: gitea 131 | labels: 132 | app: gitea 133 | app.kubernetes.io/component: gitea 134 | app.kubernetes.io/instance: gitea 135 | app.kubernetes.io/name: gitea 136 | app.kubernetes.io/part-of: gitea 137 | spec: 138 | replicas: 1 139 | selector: 140 | matchLabels: 141 | app: gitea 142 | name: gitea 143 | template: 144 | metadata: 145 | labels: 146 | app: gitea 147 | name: gitea 148 | spec: 149 | containers: 150 | - name: gitea 151 | imagePullPolicy: Always 152 | image: quay.io/gpte-devops-automation/gitea:1.17.2 153 | ports: 154 | - containerPort: 3000 155 | protocol: TCP 156 | volumeMounts: 157 | - mountPath: /gitea-repositories 158 | name: gitea-repositories 159 | - mountPath: /home/gitea/conf 160 | name: gitea-config 161 | readinessProbe: 162 | httpGet: 163 | path: / 164 | port: 3000 165 | scheme: HTTP 166 | initialDelaySeconds: 5 167 | periodSeconds: 20 168 | successThreshold: 1 169 | timeoutSeconds: 1 170 | livenessProbe: 171 | httpGet: 172 | path: / 173 | port: 3000 174 | scheme: HTTP 175 | initialDelaySeconds: 30 176 | periodSeconds: 10 177 | successThreshold: 1 178 | timeoutSeconds: 1 179 | serviceAccountName: gitea 180 | volumes: 181 | - name: gitea-repositories 182 | persistentVolumeClaim: 183 | claimName: gitea-repositories 184 | - configMap: 185 | items: 186 | - key: app.ini 187 | path: app.ini 188 | name: gitea-config 189 | name: gitea-config 190 | --- 191 | apiVersion: v1 192 | kind: PersistentVolumeClaim 193 | metadata: 194 | name: gitea-repositories 195 | spec: 196 | accessModes: 197 | - ReadWriteOnce 198 | resources: 199 | requests: 200 | storage: 1Gi 201 | --- 202 | apiVersion: v1 203 | kind: PersistentVolumeClaim 204 | metadata: 205 | name: gitea-postgres-data 206 | spec: 207 | accessModes: 208 | - ReadWriteOnce 209 | resources: 210 | requests: 211 | storage: 1Gi -------------------------------------------------------------------------------- /config/ci/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | namespace: ci 5 | 6 | resources: 7 | - ns.yaml 8 | - nexus.yaml 9 | - gitea.yaml 10 | #- gitea-config.yaml 11 | #- gitea-init-run.yaml 12 | -------------------------------------------------------------------------------- /config/ci/nexus.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | labels: 6 | app: nexus 7 | app.kubernetes.io/instance: nexus 8 | app.kubernetes.io/name: nexus 9 | app.kubernetes.io/part-of: nexus 10 | name: nexus 11 | spec: 12 | replicas: 1 13 | selector: 14 | matchLabels: 15 | app: nexus 16 | template: 17 | metadata: 18 | labels: 19 | app: nexus 20 | spec: 21 | containers: 22 | - name: nexus 23 | image: quay.io/siamaksade/nexus3:3.16.2 24 | env: 25 | - name: CONTEXT_PATH 26 | value: / 27 | imagePullPolicy: IfNotPresent 28 | ports: 29 | - containerPort: 8081 30 | protocol: TCP 31 | livenessProbe: 32 | exec: 33 | command: 34 | - echo 35 | - ok 36 | failureThreshold: 3 37 | initialDelaySeconds: 30 38 | periodSeconds: 10 39 | successThreshold: 1 40 | timeoutSeconds: 1 41 | readinessProbe: 42 | failureThreshold: 3 43 | httpGet: 44 | path: / 45 | port: 8081 46 | scheme: HTTP 47 | initialDelaySeconds: 30 48 | periodSeconds: 10 49 | successThreshold: 1 50 | timeoutSeconds: 1 51 | resources: 52 | limits: 53 | memory: 4Gi 54 | cpu: 2 55 | requests: 56 | memory: 512Mi 57 | cpu: 200m 58 | terminationMessagePath: /dev/termination-log 59 | volumeMounts: 60 | - mountPath: /nexus-data 61 | name: nexus-data 62 | volumes: 63 | - name: nexus-data 64 | persistentVolumeClaim: 65 | claimName: nexus-pv 66 | --- 67 | apiVersion: v1 68 | kind: Service 69 | metadata: 70 | labels: 71 | app: nexus 72 | name: nexus 73 | spec: 74 | ports: 75 | - name: 8081-tcp 76 | port: 8081 77 | protocol: TCP 78 | targetPort: 8081 79 | selector: 80 | app: nexus 81 | sessionAffinity: None 82 | type: ClusterIP 83 | --- 84 | apiVersion: route.openshift.io/v1 85 | kind: Route 86 | metadata: 87 | labels: 88 | app: nexus 89 | name: nexus 90 | spec: 91 | port: 92 | targetPort: 8081-tcp 93 | to: 94 | kind: Service 95 | name: nexus 96 | weight: 100 97 | --- 98 | apiVersion: v1 99 | kind: PersistentVolumeClaim 100 | metadata: 101 | labels: 102 | app: nexus 103 | name: nexus-pv 104 | spec: 105 | accessModes: 106 | - ReadWriteOnce 107 | resources: 108 | requests: 109 | storage: 5Gi -------------------------------------------------------------------------------- /config/ci/ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: ci 5 | -------------------------------------------------------------------------------- /config/console/dev-view.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: operator.openshift.io/v1 2 | kind: Console 3 | metadata: 4 | annotations: 5 | name: cluster 6 | spec: 7 | customization: 8 | perspectives: 9 | - id: dev 10 | pinnedResources: 11 | - group: "" 12 | resource: configmaps 13 | version: v1 14 | - group: "" 15 | resource: secrets 16 | version: v1 17 | - group: "" 18 | resource: pods 19 | version: v1 20 | - group: "" 21 | resource: persistentvolumeclaims 22 | version: v1 23 | - group: route.openshift.io 24 | resource: routes 25 | version: v1 26 | - group: apps 27 | resource: deployments 28 | version: v1 29 | - group: apps 30 | resource: statefulsets 31 | version: v1 32 | - group: "" 33 | resource: services 34 | version: v1 35 | visibility: 36 | state: Enabled 37 | -------------------------------------------------------------------------------- /config/console/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | resources: 5 | - dev-view.yaml 6 | - links.yaml -------------------------------------------------------------------------------- /config/console/links.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: console.openshift.io/v1 2 | kind: ConsoleLink 3 | metadata: 4 | name: application-menu-link-1 5 | spec: 6 | href: 'https://github.com/wpernath' 7 | location: ApplicationMenu 8 | text: Wanja's GitHub 9 | applicationMenu: 10 | section: Other Links 11 | imageURL: https://avatars.githubusercontent.com/u/1204218?v=4 12 | --- 13 | apiVersion: console.openshift.io/v1 14 | kind: ConsoleLink 15 | metadata: 16 | name: application-menu-link-2 17 | spec: 18 | href: 'https://www.opensourcerers.org/category/cloud-native-application-development/' 19 | location: ApplicationMenu 20 | text: OpenSourcerers Blog 21 | applicationMenu: 22 | section: Other Links 23 | imageURL: https://www.opensourcerers.org/wp-content/uploads/2020/09/cropped-opensourcerers_logo_FULL.png 24 | --- 25 | apiVersion: console.openshift.io/v1 26 | kind: ConsoleLink 27 | metadata: 28 | name: application-menu-link-3 29 | spec: 30 | href: 'https://developers.redhat.com/e-books/getting-gitops-practical-platform-openshift-argo-cd-and-tekton' 31 | location: ApplicationMenu 32 | text: Getting GitOps by Wanja 33 | applicationMenu: 34 | section: Other Links 35 | imageURL: https://developers.redhat.com/sites/default/files/styles/cheat_sheet_feature/public/GettingGitOps-book-cover.png?itok=30D-nnPL 36 | -------------------------------------------------------------------------------- /config/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | resources: 5 | # first install console add/ons 6 | - console/dev-view.yaml 7 | - console/links.yaml 8 | 9 | # install all operators 10 | - operators/builds.yaml 11 | - operators/gitops.yaml 12 | - operators/crunchy.yaml 13 | - operators/pipelines.yaml 14 | - operators/serverless.yaml 15 | - operators/strimzi.yaml 16 | 17 | # configure registry 18 | - registry/image-registry.yaml 19 | - registry/config.yaml 20 | 21 | -------------------------------------------------------------------------------- /config/mesh/README.MD: -------------------------------------------------------------------------------- 1 | # Module: mesh 2 | ```bash 3 | $> ./setup.sh mesh 4 | ``` 5 | Installs Red Hat OpenShift ServiceMesh and adds the grumpycat application to the mesh. 6 | 7 | This can be uninstalled by executing 8 | ```bash 9 | $> oc delete -k config/mesh 10 | ``` 11 | 12 | If you want to add other namespaces to the mesh, please edit the file `config/mesh/sm-members.yaml`. Please also note, that - in order to let the mesh inject the sidecar - you need to add the following annotation to the `Deployment` of a - well - deployment: 13 | 14 | ```yaml 15 | spec: 16 | template: 17 | metadata: 18 | annotations: 19 | sidecar.istio.io/inject: 'true' 20 | ``` 21 | -------------------------------------------------------------------------------- /config/mesh/control-plane.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: istio-system 5 | --- 6 | kind: ServiceMeshControlPlane 7 | apiVersion: maistra.io/v2 8 | metadata: 9 | name: istio 10 | namespace: istio-system 11 | spec: 12 | gateways: 13 | openshiftRoute: 14 | enabled: true 15 | version: v2.5 16 | tracing: 17 | type: Jaeger 18 | sampling: 10000 19 | policy: 20 | type: Istiod 21 | telemetry: 22 | type: Istiod 23 | # enable access logging! 24 | proxy: 25 | accessLogging: 26 | file: 27 | name: /dev/stdout 28 | addons: 29 | jaeger: 30 | install: 31 | storage: 32 | type: Memory 33 | prometheus: 34 | enabled: true 35 | kiali: 36 | enabled: true 37 | grafana: 38 | enabled: true -------------------------------------------------------------------------------- /config/mesh/elastic.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: operators.coreos.com/v1alpha1 2 | kind: Subscription 3 | metadata: 4 | name: elasticsearch-operator 5 | namespace: openshift-operators-redhat 6 | spec: 7 | channel: stable 8 | name: elasticsearch-operator 9 | source: redhat-operators 10 | sourceNamespace: openshift-marketplace 11 | -------------------------------------------------------------------------------- /config/mesh/jaeger.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: operators.coreos.com/v1alpha1 2 | kind: Subscription 3 | metadata: 4 | name: jaeger-product 5 | namespace: openshift-distributed-tracing 6 | spec: 7 | channel: stable 8 | name: jaeger-product 9 | source: redhat-operators 10 | sourceNamespace: openshift-marketplace 11 | -------------------------------------------------------------------------------- /config/mesh/kiali.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: operators.coreos.com/v1alpha1 2 | kind: Subscription 3 | metadata: 4 | name: kiali-operator 5 | namespace: openshift-operators 6 | spec: 7 | channel: stable 8 | name: kiali-ossm 9 | source: redhat-operators 10 | sourceNamespace: openshift-marketplace 11 | -------------------------------------------------------------------------------- /config/mesh/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | resources: 5 | # install namespaces for operators 6 | - ns-op-rh.yaml 7 | - ns-op-dt.yaml 8 | 9 | # install prereq operators 10 | - elastic.yaml 11 | - jaeger.yaml 12 | - kiali.yaml 13 | 14 | # install servicemesh operator 15 | - mesh.yaml 16 | 17 | # create control plane 18 | - control-plane.yaml 19 | 20 | -------------------------------------------------------------------------------- /config/mesh/mesh.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: operators.coreos.com/v1alpha1 2 | kind: Subscription 3 | metadata: 4 | name: servicemesh-operator 5 | namespace: openshift-operators 6 | spec: 7 | channel: stable 8 | name: servicemeshoperator 9 | source: redhat-operators 10 | sourceNamespace: openshift-marketplace 11 | -------------------------------------------------------------------------------- /config/mesh/ns-op-dt.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: openshift-distributed-tracing 5 | --- 6 | apiVersion: operators.coreos.com/v1 7 | kind: OperatorGroup 8 | metadata: 9 | name: openshift-distributed-tracing 10 | namespace: openshift-distributed-tracing 11 | spec: 12 | upgradeStrategy: Default -------------------------------------------------------------------------------- /config/mesh/ns-op-rh.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: openshift-operators-redhat 5 | --- 6 | apiVersion: operators.coreos.com/v1 7 | kind: OperatorGroup 8 | metadata: 9 | name: openshift-operators-redhat 10 | namespace: openshift-operators-redhat 11 | spec: 12 | upgradeStrategy: Default -------------------------------------------------------------------------------- /config/mesh/sample/bookinfo-gateway.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: Gateway 3 | metadata: 4 | name: bookinfo-gateway 5 | spec: 6 | # The selector matches the ingress gateway pod labels. 7 | # If you installed Istio using Helm following the standard documentation, this would be "istio=ingress" 8 | selector: 9 | istio: ingressgateway # use istio default controller 10 | servers: 11 | - port: 12 | number: 80 13 | name: http 14 | protocol: HTTP 15 | hosts: 16 | - "*" 17 | --- 18 | apiVersion: networking.istio.io/v1alpha3 19 | kind: VirtualService 20 | metadata: 21 | name: bookinfo 22 | spec: 23 | hosts: 24 | - "*" 25 | gateways: 26 | - bookinfo-gateway 27 | http: 28 | - match: 29 | - uri: 30 | exact: /productpage 31 | - uri: 32 | prefix: /static 33 | - uri: 34 | exact: /login 35 | - uri: 36 | exact: /logout 37 | - uri: 38 | prefix: /api/v1/products 39 | route: 40 | - destination: 41 | host: productpage 42 | port: 43 | number: 9080 -------------------------------------------------------------------------------- /config/mesh/sample/bookinfo-sample.yaml: -------------------------------------------------------------------------------- 1 | # Copyright Istio Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | ################################################################################################## 16 | # This file defines the services, service accounts, and deployments for the Bookinfo sample. 17 | # 18 | # To apply all 4 Bookinfo services, their corresponding service accounts, and deployments: 19 | # 20 | # kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml 21 | # 22 | # Alternatively, you can deploy any resource separately: 23 | # 24 | # kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml -l service=reviews # reviews Service 25 | # kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml -l account=reviews # reviews ServiceAccount 26 | # kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml -l app=reviews,version=v3 # reviews-v3 Deployment 27 | ################################################################################################## 28 | apiVersion: v1 29 | kind: Namespace 30 | metadata: 31 | name: bookinfo 32 | --- 33 | ################################################################################################## 34 | # Details service 35 | ################################################################################################## 36 | apiVersion: v1 37 | kind: Service 38 | metadata: 39 | name: details 40 | labels: 41 | app: details 42 | service: details 43 | spec: 44 | ports: 45 | - port: 9080 46 | name: http 47 | selector: 48 | app: details 49 | --- 50 | apiVersion: v1 51 | kind: ServiceAccount 52 | metadata: 53 | name: bookinfo-details 54 | labels: 55 | account: details 56 | --- 57 | apiVersion: apps/v1 58 | kind: Deployment 59 | metadata: 60 | name: details-v1 61 | labels: 62 | app: details 63 | version: v1 64 | spec: 65 | replicas: 1 66 | selector: 67 | matchLabels: 68 | app: details 69 | version: v1 70 | template: 71 | metadata: 72 | annotations: 73 | sidecar.istio.io/inject: "true" 74 | labels: 75 | app: details 76 | version: v1 77 | spec: 78 | serviceAccountName: bookinfo-details 79 | containers: 80 | - name: details 81 | image: quay.io/maistra/examples-bookinfo-details-v1:2.4.0 82 | imagePullPolicy: IfNotPresent 83 | ports: 84 | - containerPort: 9080 85 | --- 86 | ################################################################################################## 87 | # Ratings service 88 | ################################################################################################## 89 | apiVersion: v1 90 | kind: Service 91 | metadata: 92 | name: ratings 93 | labels: 94 | app: ratings 95 | service: ratings 96 | spec: 97 | ports: 98 | - port: 9080 99 | name: http 100 | selector: 101 | app: ratings 102 | --- 103 | apiVersion: v1 104 | kind: ServiceAccount 105 | metadata: 106 | name: bookinfo-ratings 107 | labels: 108 | account: ratings 109 | --- 110 | apiVersion: apps/v1 111 | kind: Deployment 112 | metadata: 113 | name: ratings-v1 114 | labels: 115 | app: ratings 116 | version: v1 117 | spec: 118 | replicas: 1 119 | selector: 120 | matchLabels: 121 | app: ratings 122 | version: v1 123 | template: 124 | metadata: 125 | annotations: 126 | sidecar.istio.io/inject: "true" 127 | labels: 128 | app: ratings 129 | version: v1 130 | spec: 131 | serviceAccountName: bookinfo-ratings 132 | containers: 133 | - name: ratings 134 | image: quay.io/maistra/examples-bookinfo-ratings-v1:2.4.0 135 | imagePullPolicy: IfNotPresent 136 | ports: 137 | - containerPort: 9080 138 | --- 139 | ################################################################################################## 140 | # Reviews service 141 | ################################################################################################## 142 | apiVersion: v1 143 | kind: Service 144 | metadata: 145 | name: reviews 146 | labels: 147 | app: reviews 148 | service: reviews 149 | spec: 150 | ports: 151 | - port: 9080 152 | name: http 153 | selector: 154 | app: reviews 155 | --- 156 | apiVersion: v1 157 | kind: ServiceAccount 158 | metadata: 159 | name: bookinfo-reviews 160 | labels: 161 | account: reviews 162 | --- 163 | apiVersion: apps/v1 164 | kind: Deployment 165 | metadata: 166 | name: reviews-v1 167 | labels: 168 | app: reviews 169 | version: v1 170 | spec: 171 | replicas: 1 172 | selector: 173 | matchLabels: 174 | app: reviews 175 | version: v1 176 | template: 177 | metadata: 178 | annotations: 179 | sidecar.istio.io/inject: "true" 180 | labels: 181 | app: reviews 182 | version: v1 183 | spec: 184 | serviceAccountName: bookinfo-reviews 185 | containers: 186 | - name: reviews 187 | image: quay.io/maistra/examples-bookinfo-reviews-v1:2.4.0 188 | imagePullPolicy: IfNotPresent 189 | env: 190 | - name: LOG_DIR 191 | value: "/tmp/logs" 192 | ports: 193 | - containerPort: 9080 194 | volumeMounts: 195 | - name: tmp 196 | mountPath: /tmp 197 | - name: wlp-output 198 | mountPath: /opt/ibm/wlp/output 199 | volumes: 200 | - name: wlp-output 201 | emptyDir: {} 202 | - name: tmp 203 | emptyDir: {} 204 | --- 205 | apiVersion: apps/v1 206 | kind: Deployment 207 | metadata: 208 | name: reviews-v2 209 | labels: 210 | app: reviews 211 | version: v2 212 | spec: 213 | replicas: 1 214 | selector: 215 | matchLabels: 216 | app: reviews 217 | version: v2 218 | template: 219 | metadata: 220 | annotations: 221 | sidecar.istio.io/inject: "true" 222 | labels: 223 | app: reviews 224 | version: v2 225 | spec: 226 | serviceAccountName: bookinfo-reviews 227 | containers: 228 | - name: reviews 229 | image: quay.io/maistra/examples-bookinfo-reviews-v2:2.4.0 230 | imagePullPolicy: IfNotPresent 231 | env: 232 | - name: LOG_DIR 233 | value: "/tmp/logs" 234 | ports: 235 | - containerPort: 9080 236 | volumeMounts: 237 | - name: tmp 238 | mountPath: /tmp 239 | - name: wlp-output 240 | mountPath: /opt/ibm/wlp/output 241 | volumes: 242 | - name: wlp-output 243 | emptyDir: {} 244 | - name: tmp 245 | emptyDir: {} 246 | --- 247 | apiVersion: apps/v1 248 | kind: Deployment 249 | metadata: 250 | name: reviews-v3 251 | labels: 252 | app: reviews 253 | version: v3 254 | spec: 255 | replicas: 1 256 | selector: 257 | matchLabels: 258 | app: reviews 259 | version: v3 260 | template: 261 | metadata: 262 | annotations: 263 | sidecar.istio.io/inject: "true" 264 | labels: 265 | app: reviews 266 | version: v3 267 | spec: 268 | serviceAccountName: bookinfo-reviews 269 | containers: 270 | - name: reviews 271 | image: quay.io/maistra/examples-bookinfo-reviews-v3:2.4.0 272 | imagePullPolicy: IfNotPresent 273 | env: 274 | - name: LOG_DIR 275 | value: "/tmp/logs" 276 | ports: 277 | - containerPort: 9080 278 | volumeMounts: 279 | - name: tmp 280 | mountPath: /tmp 281 | - name: wlp-output 282 | mountPath: /opt/ibm/wlp/output 283 | volumes: 284 | - name: wlp-output 285 | emptyDir: {} 286 | - name: tmp 287 | emptyDir: {} 288 | --- 289 | ################################################################################################## 290 | # Productpage services 291 | ################################################################################################## 292 | apiVersion: v1 293 | kind: Service 294 | metadata: 295 | name: productpage 296 | labels: 297 | app: productpage 298 | service: productpage 299 | spec: 300 | ports: 301 | - port: 9080 302 | name: http 303 | selector: 304 | app: productpage 305 | --- 306 | apiVersion: v1 307 | kind: ServiceAccount 308 | metadata: 309 | name: bookinfo-productpage 310 | labels: 311 | account: productpage 312 | --- 313 | apiVersion: apps/v1 314 | kind: Deployment 315 | metadata: 316 | name: productpage-v1 317 | labels: 318 | app: productpage 319 | version: v1 320 | spec: 321 | replicas: 1 322 | selector: 323 | matchLabels: 324 | app: productpage 325 | version: v1 326 | template: 327 | metadata: 328 | annotations: 329 | prometheus.io/scrape: "true" 330 | prometheus.io/port: "9080" 331 | prometheus.io/path: "/metrics" 332 | sidecar.istio.io/inject: "true" 333 | labels: 334 | app: productpage 335 | version: v1 336 | spec: 337 | serviceAccountName: bookinfo-productpage 338 | containers: 339 | - name: productpage 340 | image: quay.io/maistra/examples-bookinfo-productpage-v1:2.4.0 341 | imagePullPolicy: IfNotPresent 342 | ports: 343 | - containerPort: 9080 344 | volumeMounts: 345 | - name: tmp 346 | mountPath: /tmp 347 | volumes: 348 | - name: tmp 349 | emptyDir: {} 350 | --- -------------------------------------------------------------------------------- /config/mesh/sample/dest-rules.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: DestinationRule 3 | metadata: 4 | name: productpage 5 | spec: 6 | host: productpage 7 | subsets: 8 | - name: v1 9 | labels: 10 | version: v1 11 | --- 12 | apiVersion: networking.istio.io/v1alpha3 13 | kind: DestinationRule 14 | metadata: 15 | name: reviews 16 | spec: 17 | host: reviews 18 | subsets: 19 | - name: v1 20 | labels: 21 | version: v1 22 | - name: v2 23 | labels: 24 | version: v2 25 | - name: v3 26 | labels: 27 | version: v3 28 | --- 29 | apiVersion: networking.istio.io/v1alpha3 30 | kind: DestinationRule 31 | metadata: 32 | name: ratings 33 | spec: 34 | host: ratings 35 | subsets: 36 | - name: v1 37 | labels: 38 | version: v1 39 | - name: v2 40 | labels: 41 | version: v2 42 | - name: v2-mysql 43 | labels: 44 | version: v2-mysql 45 | - name: v2-mysql-vm 46 | labels: 47 | version: v2-mysql-vm 48 | --- 49 | apiVersion: networking.istio.io/v1alpha3 50 | kind: DestinationRule 51 | metadata: 52 | name: details 53 | spec: 54 | host: details 55 | subsets: 56 | - name: v1 57 | labels: 58 | version: v1 59 | - name: v2 60 | labels: 61 | version: v2 62 | --- -------------------------------------------------------------------------------- /config/mesh/sample/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | namespace: bookinfo 4 | 5 | resources: 6 | - bookinfo-sample.yaml 7 | - bookinfo-gateway.yaml 8 | - dest-rules.yaml 9 | 10 | # configure control plane to include certain namespaces 11 | - sm-members.yaml 12 | -------------------------------------------------------------------------------- /config/mesh/sample/sm-members.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: maistra.io/v1 2 | kind: ServiceMeshMemberRoll 3 | metadata: 4 | name: default 5 | namespace: istio-system 6 | spec: 7 | members: 8 | # a list of projects joined into the service mesh 9 | # - grumpycat 10 | - bookinfo 11 | #- ci 12 | # - cat-ci 13 | # - cat-dev 14 | # - cat-stage 15 | # - cat-prod 16 | -------------------------------------------------------------------------------- /config/monitoring/README.MD: -------------------------------------------------------------------------------- 1 | # Module: monitoring 2 | ```bash 3 | $> ./setup.sh monitoring 4 | ``` 5 | 6 | Conifgures the monitoring provider of OpenShift so that all the data will be stored in provided storage. It also configures user monitoring. 7 | It also configures user monitoring. Please make sure you're adding service monitoring entries for special user services. 8 | -------------------------------------------------------------------------------- /config/monitoring/cluster-monitoring-config.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: cluster-monitoring-config 5 | namespace: openshift-monitoring 6 | data: 7 | config.yaml: | 8 | enableUserWorkload: true 9 | prometheusK8s: 10 | volumeClaimTemplate: 11 | spec: 12 | volumeMode: Filesystem 13 | resources: 14 | requests: 15 | storage: 40Gi 16 | -------------------------------------------------------------------------------- /config/monitoring/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | resources: 5 | - cluster-monitoring-config.yaml 6 | - user-workload-config.yaml 7 | - service-monitor-example.yaml 8 | -------------------------------------------------------------------------------- /config/monitoring/service-monitor-example.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: monitoring.coreos.com/v1 2 | kind: ServiceMonitor 3 | metadata: 4 | labels: 5 | k8s-app: cat-server 6 | name: cat-monitor 7 | namespace: cat-dev 8 | spec: 9 | endpoints: 10 | - interval: 10s 11 | port: web 12 | scheme: http 13 | path: /q/metrics 14 | selector: 15 | matchLabels: 16 | app: cat-server 17 | -------------------------------------------------------------------------------- /config/monitoring/user-workload-config.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: user-workload-monitoring-config 5 | namespace: openshift-user-workload-monitoring 6 | data: 7 | config.yaml: | 8 | prometheus: 9 | retention: 24h 10 | resources: 11 | requests: 12 | cpu: 200m 13 | memory: 2Gi 14 | -------------------------------------------------------------------------------- /config/oauth/README.MD: -------------------------------------------------------------------------------- 1 | # Module: oauth 2 | ```bash 3 | $> ./setup.sh oauth 4 | ``` 5 | 6 | Configures an SSO provider (namely Google). Please make sure to first go to [Google Console](https://console.developers.google.com/apis/credentials) and register a new OAuth2 client. Then take the generated ClientID and Client Secret and create a new file `config/oauth/client-secret.env` based on the file 7 | `config/oauth/example-client-secret.env`. 8 | 9 | Then you're able to log into OpenShift via your SSO provider's user/pwd combination. If you've logged in once, you should also make sure that your 10 | newly created user has all required roles associated with it. In my case, I am calling the following 11 | 12 | ```bash 13 | $> oc adm policy add-cluster-role-to-user cluster-admin "wpernath@redhat.com" 14 | ``` 15 | -------------------------------------------------------------------------------- /config/oauth/admin-rb.yaml: -------------------------------------------------------------------------------- 1 | kind: ClusterRoleBinding 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | metadata: 4 | name: cluster-admin-23435 5 | subjects: 6 | - kind: User 7 | apiGroup: rbac.authorization.k8s.io 8 | name: ADMIN_USER_PLACEHOLDER 9 | roleRef: 10 | apiGroup: rbac.authorization.k8s.io 11 | kind: ClusterRole 12 | name: cluster-admin 13 | -------------------------------------------------------------------------------- /config/oauth/example-client-secret.env: -------------------------------------------------------------------------------- 1 | # Define your client secret and client ID from Google apis 2 | # https://console.developers.google.com/apis/credentials 3 | # 4 | # And specify them in the following key/value parts. 5 | # Rename this file to client-secret.env 6 | 7 | clientSecret= 8 | clientID= 9 | adminUser= -------------------------------------------------------------------------------- /config/oauth/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | resources: 5 | - oauth.yaml 6 | - admin-rb.yaml 7 | 8 | # we don't need name suffixes 9 | generatorOptions: 10 | disableNameSuffixHash: true 11 | 12 | # generate a secret with everything from client-secret.env 13 | secretGenerator: 14 | - name: google-sso-secret 15 | namespace: openshift-config 16 | type: generic 17 | envs: 18 | - client-secret.env 19 | 20 | # generate a config map to get keys from client-secret.env 21 | configMapGenerator: 22 | - name: tmp-props 23 | envs: 24 | - client-secret.env 25 | 26 | # Use the vars in ConfigMap google-client to update 27 | # properties in OAuth and admin role binding 28 | replacements: 29 | # Update clientID in OAuth/spec/identityProviders 30 | - source: 31 | fieldPath: data.clientID 32 | kind: ConfigMap 33 | name: tmp-props 34 | version: v1 35 | targets: 36 | - fieldPaths: 37 | - spec.identityProviders.0.google.clientID 38 | select: 39 | group: config.openshift.io 40 | kind: OAuth 41 | name: cluster 42 | version: v1 43 | 44 | # Update user name in admin-rb.yaml 45 | - source: 46 | fieldPath: data.adminUser 47 | kind: ConfigMap 48 | name: tmp-props 49 | version: v1 50 | targets: 51 | - fieldPaths: 52 | - subjects.0.name 53 | select: 54 | group: rbac.authorization.k8s.io 55 | kind: ClusterRoleBinding 56 | name: cluster-admin-23435 57 | version: v1 58 | -------------------------------------------------------------------------------- /config/oauth/oauth.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.openshift.io/v1 2 | kind: OAuth 3 | metadata: 4 | name: cluster 5 | spec: 6 | identityProviders: 7 | - google: 8 | clientID: CLIENT_ID_PLACEHOLDER 9 | clientSecret: 10 | name: google-sso-secret 11 | hostedDomain: redhat.com 12 | mappingMethod: claim 13 | name: RedHatSSO 14 | type: Google -------------------------------------------------------------------------------- /config/operators/builds.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: operators.coreos.com/v1alpha1 2 | kind: Subscription 3 | metadata: 4 | name: openshift-builds-operator 5 | namespace: openshift-operators 6 | spec: 7 | channel: latest 8 | installPlanApproval: Automatic 9 | name: openshift-builds-operator 10 | source: redhat-operators 11 | sourceNamespace: openshift-marketplace 12 | -------------------------------------------------------------------------------- /config/operators/crunchy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: operators.coreos.com/v1alpha1 2 | kind: Subscription 3 | metadata: 4 | name: crunchy-postgres-operator 5 | namespace: openshift-operators 6 | spec: 7 | channel: v5 8 | name: crunchy-postgres-operator 9 | source: certified-operators 10 | sourceNamespace: openshift-marketplace 11 | installPlanApproval: Automatic 12 | -------------------------------------------------------------------------------- /config/operators/gitops.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: operators.coreos.com/v1alpha1 2 | kind: Subscription 3 | metadata: 4 | name: openshift-gitops 5 | namespace: openshift-operators 6 | spec: 7 | channel: latest 8 | name: openshift-gitops-operator 9 | source: redhat-operators 10 | sourceNamespace: openshift-marketplace 11 | installPlanApproval: Automatic 12 | -------------------------------------------------------------------------------- /config/operators/infinispan.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: operators.coreos.com/v1alpha1 2 | kind: Subscription 3 | metadata: 4 | name: infinispan 5 | namespace: openshift-operators 6 | spec: 7 | channel: stable 8 | installPlanApproval: Automatic 9 | name: infinispan 10 | source: community-operators 11 | sourceNamespace: openshift-marketplace 12 | -------------------------------------------------------------------------------- /config/operators/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | resources: 5 | - gitops.yaml 6 | - pipelines.yaml 7 | - serverless.yaml 8 | - strimzi.yaml 9 | - crunchy.yaml 10 | - infinispan.yaml 11 | - rhdh.yaml 12 | - builds.yaml 13 | 14 | 15 | -------------------------------------------------------------------------------- /config/operators/pipelines.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: operators.coreos.com/v1alpha1 2 | kind: Subscription 3 | metadata: 4 | name: openshift-pipelines 5 | namespace: openshift-operators 6 | spec: 7 | channel: latest 8 | name: openshift-pipelines-operator-rh 9 | source: redhat-operators 10 | installPlanApproval: Automatic 11 | sourceNamespace: openshift-marketplace 12 | -------------------------------------------------------------------------------- /config/operators/rhdh.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: rhdh-operator 5 | --- 6 | apiVersion: operators.coreos.com/v1alpha1 7 | kind: Subscription 8 | metadata: 9 | name: rhdh 10 | namespace: rhdh-operator 11 | spec: 12 | channel: fast 13 | installPlanApproval: Automatic 14 | name: rhdh 15 | source: redhat-operators 16 | sourceNamespace: openshift-marketplace 17 | -------------------------------------------------------------------------------- /config/operators/serverless.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: operators.coreos.com/v1alpha1 2 | kind: Subscription 3 | metadata: 4 | name: openshift-serverless 5 | namespace: openshift-operators 6 | spec: 7 | channel: stable 8 | name: serverless-operator 9 | source: redhat-operators 10 | sourceNamespace: openshift-marketplace 11 | installPlanApproval: Automatic -------------------------------------------------------------------------------- /config/operators/strimzi.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: operators.coreos.com/v1alpha1 2 | kind: Subscription 3 | metadata: 4 | name: amq-kafka-operator 5 | namespace: openshift-operators 6 | spec: 7 | channel: stable 8 | installPlanApproval: Automatic 9 | name: amq-streams 10 | source: redhat-operators 11 | sourceNamespace: openshift-marketplace 12 | -------------------------------------------------------------------------------- /config/registry/config.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: imageregistry.operator.openshift.io/v1 2 | kind: Config 3 | metadata: 4 | finalizers: 5 | - imageregistry.operator.openshift.io/finalizer 6 | name: cluster 7 | spec: 8 | defaultRoute: true 9 | logLevel: Normal 10 | managementState: Managed 11 | operatorLogLevel: Normal 12 | proxy: {} 13 | replicas: 1 14 | requests: 15 | read: 16 | maxWaitInQueue: 0s 17 | write: 18 | maxWaitInQueue: 0s 19 | rolloutStrategy: Recreate 20 | storage: 21 | pvc: 22 | claim: image-registry-storage 23 | 24 | 25 | -------------------------------------------------------------------------------- /config/registry/image-registry.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: PersistentVolumeClaim 3 | metadata: 4 | name: image-registry-storage 5 | namespace: openshift-image-registry 6 | spec: 7 | accessModes: 8 | - ReadWriteOnce 9 | resources: 10 | requests: 11 | storage: 20Gi 12 | 13 | -------------------------------------------------------------------------------- /config/registry/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | resources: 5 | - image-registry.yaml 6 | - config.yaml 7 | -------------------------------------------------------------------------------- /config/rhdh/README.MD: -------------------------------------------------------------------------------- 1 | # Module: rhdh 2 | Installing and configuring Red Hat Developer Hub. 3 | 4 | ```bash 5 | $> ./setup.sh rhdh 6 | or 7 | $> oc apply -k config/rhdh 8 | ``` 9 | 10 | Installs and configures Red Hat Developer Hub in a namespace called `rhdh` using the `Red Hat Developer Hub - Operator`. It configures the following plugins to be used with RHDH: 11 | - GitHub Auth 12 | - GitHub App 13 | - GitHub SSO 14 | - Kubernetes 15 | - A sample software catalog based on https://github.com/wpernath/red-hat-developer-hub-software-templates/blob/main/templates.yaml 16 | 17 | In order to make it your configuration, please copy both, the `example-backend-secret.env` and the `example-github-secret.env`, into `config/rhdh/backend-secret.env` and `config/rhdh/github-secret.env` and fill your tokens and secrets in there. 18 | 19 | To configure other plugins, please have a look at `config/rhdh/app-config-rhdh.yaml`. 20 | -------------------------------------------------------------------------------- /config/rhdh/app-config-rhdh.yaml: -------------------------------------------------------------------------------- 1 | app: 2 | title: Wanja's Developer Hub 3 | baseUrl: https://backstage-rhdh-rhdh.apps.grumpycat.sandbox2134.opentlc.com 4 | signInPage: github 5 | organization: 6 | name: Wanja Inc. 7 | integrations: 8 | github: 9 | - host: github.com 10 | apps: 11 | - appId: ${GITHUB_APP_APP_ID} 12 | clientId: ${GITHUB_APP_CLIENT_ID} 13 | clientSecret: ${GITHUB_APP_CLIENT_SECRET} 14 | webhookUrl: ${GITHUB_APP_WEBHOOK_URL} 15 | webhookSecret: ${GITHUB_APP_WEBHOOK_SECRET} 16 | privateKey: ${GITHUB_APP_PRIVATE_KEY} 17 | auth: 18 | environment: development 19 | providers: 20 | github: 21 | development: 22 | clientId: ${GITHUB_OAUTH_CLIENT_ID} 23 | clientSecret: ${GITHUB_OAUTH_CLIENT_SECRET} 24 | permission: 25 | enabled: false 26 | rbac: 27 | # policies-csv-file: /opt/app-root/rbac 28 | admin: 29 | users: 30 | - name: user:default/wpernath 31 | backend: 32 | auth: 33 | # dangerouslyDisableDefaultAuthPolicy: true 34 | # keys: 35 | # - secret: "${BACKEND_SECRET}" 36 | baseUrl: https://backstage-rhdh-rhdh.apps.grumpycat.sandbox2134.opentlc.com/ 37 | cors: 38 | origin: https://backstage-rhdh-rhdh.apps.grumpycat.sandbox2134.opentlc.com/ 39 | enabled: 40 | argocd: true 41 | github: true 42 | kubernetes: true 43 | 44 | # configure kubernets 45 | kubernetes: 46 | clusterLocatorMethods: 47 | - clusters: 48 | - authProvider: serviceAccount 49 | name: ${K8S_CLUSTER_NAME} 50 | skipTLSVerify: true 51 | url: ${K8S_CLUSTER_URL} 52 | serviceAccountToken: ${K8S_CLUSTER_TOKEN} 53 | type: config 54 | customResources: 55 | - apiVersion: v1beta1 56 | group: tekton.dev 57 | plural: pipelineruns 58 | - apiVersion: v1beta1 59 | group: tekton.dev 60 | plural: taskruns 61 | - apiVersion: v1 62 | group: route.openshift.io 63 | plural: routes 64 | serviceLocatorMethod: 65 | type: multiTenant 66 | 67 | # configure software catalog 68 | catalog: 69 | locations: 70 | - rules: 71 | - allow: 72 | - Template 73 | target: https://github.com/wpernath/red-hat-developer-hub-software-templates/blob/main/templates.yaml 74 | type: url 75 | -------------------------------------------------------------------------------- /config/rhdh/backstage.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rhdh.redhat.com/v1alpha1 2 | kind: Backstage 3 | metadata: 4 | name: rhdh 5 | labels: 6 | app.kubernetes.io/instance: rhdh 7 | app.kubernetes.io/name: backstage 8 | spec: 9 | application: 10 | appConfig: 11 | mountPath: /opt/app-root/src 12 | configMaps: 13 | - name: rhdh-app-config 14 | # - name: rbac-policy 15 | # mountPath: /opt/app-root/rbac 16 | # dynamicPluginsConfigMapName: dynamic-plugins-rhdh 17 | extraEnvs: 18 | secrets: 19 | - name: rhdh-secrets 20 | - name: github-secrets 21 | extraFiles: 22 | mountPath: /opt/app-root/src 23 | replicas: 1 24 | route: 25 | enabled: true 26 | database: 27 | enableLocalDb: true 28 | -------------------------------------------------------------------------------- /config/rhdh/dynamic-plugins.yaml: -------------------------------------------------------------------------------- 1 | # Use this file to configure your dynamic plugins 2 | # If you're using any environment variables, please define them 3 | # in backend-secret.env 4 | includes: 5 | - dynamic-plugins.default.yaml 6 | plugins: 7 | - package: './dynamic-plugins/dist/backstage-plugin-catalog-backend-module-github-dynamic' 8 | disabled: false 9 | pluginConfig: {} 10 | - package: './dynamic-plugins/dist/backstage-plugin-kubernetes' 11 | disabled: false 12 | - package: './dynamic-plugins/dist/backstage-plugin-kubernetes-backend-dynamic' 13 | disabled: false 14 | - package: './dynamic-plugins/dist/janus-idp-backstage-plugin-topology' 15 | disabled: false 16 | 17 | -------------------------------------------------------------------------------- /config/rhdh/example-backend-secret.env: -------------------------------------------------------------------------------- 1 | # The backend secret used internally. Should be different from each 2 | # installation. 3 | # For example, use: 4 | # $> node -p 'require("crypto").randomBytes(24).toString("base64")' 5 | BACKEND_SECRET=xIGKXBnpD3HooKkdyL15TEgaokCZUHPt 6 | 7 | # Define some variables for plugins 8 | K8S_CLUSTER_NAME=GrumpyCat 9 | K8S_CLUSTER_URL=https://api.grumpycat.sandbox2134.opentlc.com:6443 10 | K8S_CLUSTER_TOKEN=token 11 | -------------------------------------------------------------------------------- /config/rhdh/example-github-secret.env: -------------------------------------------------------------------------------- 1 | # github app for github integration 2 | GITHUB_APP_APP_ID=your app id 3 | GITHUB_APP_CLIENT_ID=your app client id 4 | GITHUB_APP_CLIENT_SECRET=your app client secret 5 | GITHUB_APP_PRIVATE_KEY=your app private key 6 | 7 | # must be none 8 | GITHUB_APP_WEBHOOK_SECRET=none 9 | 10 | # must be none 11 | GITHUB_APP_WEBHOOK_URL=none 12 | 13 | # github oauth client for oauth authentification 14 | GITHUB_OAUTH_CLIENT_ID=your oauth client id 15 | GITHUB_OAUTH_CLIENT_SECRET=your oauth client secret 16 | 17 | -------------------------------------------------------------------------------- /config/rhdh/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | namespace: rhdh 4 | 5 | resources: 6 | - ns.yaml 7 | - backstage.yaml 8 | 9 | 10 | # we don't need name suffixes 11 | generatorOptions: 12 | disableNameSuffixHash: true 13 | 14 | # generate a secret with everything from github-secret.env 15 | secretGenerator: 16 | - name: github-secrets 17 | type: Opaque 18 | envs: 19 | - github-secret.env 20 | - name: rhdh-secrets 21 | type: Opaque 22 | envs: 23 | - backend-secret.env 24 | 25 | # generate a config map to get keys from github-secret.env 26 | configMapGenerator: 27 | - name: rhdh-app-config 28 | files: 29 | - app-config-rhdh.yaml 30 | - name: dynamic-plugins-rhdh 31 | files: 32 | - dynamic-plugins.yaml 33 | - name: rbac-policy 34 | files: 35 | - rbac-policy.csv -------------------------------------------------------------------------------- /config/rhdh/ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: rhdh 5 | 6 | -------------------------------------------------------------------------------- /config/rhdh/rbac-policy.csv: -------------------------------------------------------------------------------- 1 | p, role:default/guest, catalog-entity, read, deny 2 | p, role:default/guest, catalog.entity.create, create, deny -------------------------------------------------------------------------------- /config/storage/csi-driver-hostpath-provisioner.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: storage.k8s.io/v1 2 | kind: CSIDriver 3 | metadata: 4 | name: kubevirt.io.hostpath-provisioner 5 | spec: 6 | attachRequired: false 7 | storageCapacity: false 8 | fsGroupPolicy: File 9 | # Supports persistent volumes. 10 | volumeLifecycleModes: 11 | - Persistent 12 | # To determine at runtime which mode a volume uses, pod info and its 13 | # "csi.storage.k8s.io/ephemeral" entry are needed. 14 | podInfoOnMount: true 15 | -------------------------------------------------------------------------------- /config/storage/csi-driver/csi-kubevirt-hostpath-provisioner.yaml: -------------------------------------------------------------------------------- 1 | # All of the individual sidecar RBAC roles get bound 2 | # to this account. 3 | kind: ServiceAccount 4 | apiVersion: v1 5 | metadata: 6 | name: csi-hostpath-provisioner-sa 7 | namespace: hostpath-provisioner 8 | --- 9 | apiVersion: rbac.authorization.k8s.io/v1 10 | kind: ClusterRoleBinding 11 | metadata: 12 | name: crc-csi-hostpathplugin-health-monitor-controller-cluster-role 13 | roleRef: 14 | apiGroup: rbac.authorization.k8s.io 15 | kind: ClusterRole 16 | name: crc-hostpath-external-health-monitor-controller-runner 17 | subjects: 18 | - kind: ServiceAccount 19 | name: csi-hostpath-provisioner-sa 20 | namespace: hostpath-provisioner 21 | --- 22 | apiVersion: rbac.authorization.k8s.io/v1 23 | kind: ClusterRoleBinding 24 | metadata: 25 | name: crc-csi-hostpathplugin-provisioner-cluster-role 26 | roleRef: 27 | apiGroup: rbac.authorization.k8s.io 28 | kind: ClusterRole 29 | name: crc-hostpath-external-provisioner-runner 30 | subjects: 31 | - kind: ServiceAccount 32 | name: csi-hostpath-provisioner-sa 33 | namespace: hostpath-provisioner 34 | --- 35 | apiVersion: rbac.authorization.k8s.io/v1 36 | kind: RoleBinding 37 | metadata: 38 | name: csi-hostpathplugin-health-monitor-controller-role 39 | roleRef: 40 | apiGroup: rbac.authorization.k8s.io 41 | kind: Role 42 | name: external-health-monitor-controller-cfg 43 | subjects: 44 | - kind: ServiceAccount 45 | name: csi-hostpath-provisioner-sa 46 | namespace: hostpath-provisioner 47 | --- 48 | apiVersion: rbac.authorization.k8s.io/v1 49 | kind: RoleBinding 50 | metadata: 51 | name: csi-hostpathplugin-provisioner-role 52 | roleRef: 53 | apiGroup: rbac.authorization.k8s.io 54 | kind: Role 55 | name: external-provisioner-cfg 56 | subjects: 57 | - kind: ServiceAccount 58 | name: csi-hostpath-provisioner-sa 59 | namespace: hostpath-provisioner 60 | --- 61 | kind: DaemonSet 62 | apiVersion: apps/v1 63 | metadata: 64 | name: csi-hostpathplugin 65 | spec: 66 | selector: 67 | matchLabels: 68 | app.kubernetes.io/instance: hostpath.csi.kubevirt.io 69 | app.kubernetes.io/part-of: csi-driver-host-path 70 | app.kubernetes.io/name: csi-hostpathplugin 71 | app.kubernetes.io/component: plugin 72 | template: 73 | metadata: 74 | labels: 75 | app.kubernetes.io/instance: hostpath.csi.kubevirt.io 76 | app.kubernetes.io/part-of: csi-driver-host-path 77 | app.kubernetes.io/name: csi-hostpathplugin 78 | app.kubernetes.io/component: plugin 79 | spec: 80 | serviceAccountName: csi-hostpath-provisioner-sa 81 | containers: 82 | - args: 83 | - --drivername=kubevirt.io.hostpath-provisioner 84 | - --v=3 85 | - --datadir=[{"name":"local","path":"/csi-data-dir"}] 86 | - --endpoint=$(CSI_ENDPOINT) 87 | - --nodeid=$(NODE_NAME) 88 | - --version=$(VERSION) 89 | env: 90 | - name: CSI_ENDPOINT 91 | value: unix:///csi/csi.sock 92 | - name: NODE_NAME 93 | valueFrom: 94 | fieldRef: 95 | apiVersion: v1 96 | fieldPath: spec.nodeName 97 | - name: PV_DIR 98 | value: /var/hpvolumes 99 | - name: VERSION 100 | value: latest 101 | image: quay.io/kubevirt/hostpath-csi-driver:latest 102 | imagePullPolicy: IfNotPresent 103 | livenessProbe: 104 | failureThreshold: 5 105 | httpGet: 106 | path: /healthz 107 | port: 9898 108 | scheme: HTTP 109 | initialDelaySeconds: 10 110 | periodSeconds: 2 111 | successThreshold: 1 112 | timeoutSeconds: 3 113 | name: hostpath-provisioner 114 | ports: 115 | - containerPort: 9898 116 | name: healthz 117 | protocol: TCP 118 | resources: {} 119 | securityContext: 120 | privileged: true 121 | terminationMessagePath: /dev/termination-log 122 | terminationMessagePolicy: File 123 | volumeMounts: 124 | - mountPath: /csi-data-dir 125 | name: csi-data-dir 126 | - mountPath: /var/lib/kubelet/plugins 127 | mountPropagation: Bidirectional 128 | name: plugins-dir 129 | - mountPath: /var/lib/kubelet/pods 130 | mountPropagation: Bidirectional 131 | name: mountpoint-dir 132 | - mountPath: /csi 133 | name: socket-dir 134 | - args: 135 | - --v=3 136 | - --csi-address=/csi/csi.sock 137 | - --kubelet-registration-path=/var/lib/kubelet/plugins/csi-hostpath/csi.sock 138 | env: 139 | - name: KUBE_NODE_NAME 140 | valueFrom: 141 | fieldRef: 142 | apiVersion: v1 143 | fieldPath: spec.nodeName 144 | image: k8s.gcr.io/sig-storage/csi-node-driver-registrar:v2.2.0 145 | imagePullPolicy: IfNotPresent 146 | name: node-driver-registrar 147 | resources: {} 148 | securityContext: 149 | privileged: true 150 | terminationMessagePath: /dev/termination-log 151 | terminationMessagePolicy: File 152 | volumeMounts: 153 | - mountPath: /csi 154 | name: socket-dir 155 | - mountPath: /registration 156 | name: registration-dir 157 | - mountPath: /csi-data-dir 158 | name: csi-data-dir 159 | - args: 160 | - --csi-address=/csi/csi.sock 161 | - --health-port=9898 162 | image: k8s.gcr.io/sig-storage/livenessprobe:v2.3.0 163 | imagePullPolicy: IfNotPresent 164 | name: liveness-probe 165 | resources: {} 166 | terminationMessagePath: /dev/termination-log 167 | terminationMessagePolicy: File 168 | volumeMounts: 169 | - mountPath: /csi 170 | name: socket-dir 171 | - args: 172 | - --v=5 173 | - --csi-address=/csi/csi.sock 174 | - --feature-gates=Topology=true 175 | - --enable-capacity=true 176 | - --capacity-for-immediate-binding=true 177 | - --extra-create-metadata=true 178 | - --immediate-topology=false 179 | - --strict-topology=true 180 | - --node-deployment=true 181 | env: 182 | - name: NAMESPACE 183 | valueFrom: 184 | fieldRef: 185 | apiVersion: v1 186 | fieldPath: metadata.namespace 187 | - name: POD_NAME 188 | valueFrom: 189 | fieldRef: 190 | apiVersion: v1 191 | fieldPath: metadata.name 192 | - name: NODE_NAME 193 | valueFrom: 194 | fieldRef: 195 | apiVersion: v1 196 | fieldPath: spec.nodeName 197 | image: k8s.gcr.io/sig-storage/csi-provisioner:v2.2.1 198 | imagePullPolicy: IfNotPresent 199 | name: csi-provisioner 200 | resources: {} 201 | securityContext: 202 | privileged: true 203 | terminationMessagePath: /dev/termination-log 204 | terminationMessagePolicy: File 205 | volumeMounts: 206 | - mountPath: /csi 207 | name: socket-dir 208 | volumes: 209 | - hostPath: 210 | path: /var/lib/kubelet/plugins/csi-hostpath 211 | type: DirectoryOrCreate 212 | name: socket-dir 213 | - hostPath: 214 | path: /var/lib/kubelet/pods 215 | type: DirectoryOrCreate 216 | name: mountpoint-dir 217 | - hostPath: 218 | path: /var/lib/kubelet/plugins_registry 219 | type: Directory 220 | name: registration-dir 221 | - hostPath: 222 | path: /var/lib/kubelet/plugins 223 | type: Directory 224 | name: plugins-dir 225 | - hostPath: 226 | # 'path' is where PV data is persisted on host. 227 | # using /tmp is also possible while the PVs will not available after plugin container recreation or host reboot 228 | path: /var/lib/csi-hostpath-data/ 229 | type: DirectoryOrCreate 230 | name: csi-data-dir 231 | -------------------------------------------------------------------------------- /config/storage/csi-sc.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: storage.k8s.io/v1 2 | kind: StorageClass 3 | metadata: 4 | name: crc-csi-hostpath-provisioner 5 | annotations: 6 | storageclass.kubernetes.io/is-default-class: "true" 7 | provisioner: kubevirt.io.hostpath-provisioner 8 | parameters: 9 | storagePool: local 10 | volumeBindingMode: WaitForFirstConsumer 11 | -------------------------------------------------------------------------------- /config/storage/external-provisioner-rbac.yaml: -------------------------------------------------------------------------------- 1 | # This YAML file contains all RBAC objects that are necessary to run external 2 | # CSI provisioner. 3 | # 4 | # In production, each CSI driver deployment has to be customized: 5 | # - to avoid conflicts, use non-default namespace and different names 6 | # for non-namespaced entities like the ClusterRole 7 | # - decide whether the deployment replicates the external CSI 8 | # provisioner, in which case leadership election must be enabled; 9 | # this influences the RBAC setup, see below 10 | 11 | apiVersion: v1 12 | kind: ServiceAccount 13 | metadata: 14 | name: csi-provisioner 15 | # replace with non-default namespace name 16 | namespace: hostpath-provisioner 17 | 18 | --- 19 | kind: ClusterRole 20 | apiVersion: rbac.authorization.k8s.io/v1 21 | metadata: 22 | name: crc-hostpath-external-provisioner-runner 23 | rules: 24 | # The following rule should be uncommented for plugins that require secrets 25 | # for provisioning. 26 | # - apiGroups: [""] 27 | # resources: ["secrets"] 28 | # verbs: ["get", "list"] 29 | - apiGroups: [""] 30 | resources: ["persistentvolumes"] 31 | verbs: ["get", "list", "watch", "create", "delete"] 32 | - apiGroups: [""] 33 | resources: ["persistentvolumeclaims"] 34 | verbs: ["get", "list", "watch", "update"] 35 | - apiGroups: ["storage.k8s.io"] 36 | resources: ["storageclasses"] 37 | verbs: ["get", "list", "watch"] 38 | - apiGroups: [""] 39 | resources: ["events"] 40 | verbs: ["list", "watch", "create", "update", "patch"] 41 | - apiGroups: ["snapshot.storage.k8s.io"] 42 | resources: ["volumesnapshots"] 43 | verbs: ["get", "list"] 44 | - apiGroups: ["snapshot.storage.k8s.io"] 45 | resources: ["volumesnapshotcontents"] 46 | verbs: ["get", "list"] 47 | - apiGroups: ["storage.k8s.io"] 48 | resources: ["csinodes"] 49 | verbs: ["get", "list", "watch"] 50 | - apiGroups: [""] 51 | resources: ["nodes"] 52 | verbs: ["get", "list", "watch"] 53 | # Access to volumeattachments is only needed when the CSI driver 54 | # has the PUBLISH_UNPUBLISH_VOLUME controller capability. 55 | # In that case, external-provisioner will watch volumeattachments 56 | # to determine when it is safe to delete a volume. 57 | - apiGroups: ["storage.k8s.io"] 58 | resources: ["volumeattachments"] 59 | verbs: ["get", "list", "watch"] 60 | 61 | --- 62 | kind: ClusterRoleBinding 63 | apiVersion: rbac.authorization.k8s.io/v1 64 | metadata: 65 | name: crc-hostpath-csi-provisioner-role 66 | subjects: 67 | - kind: ServiceAccount 68 | name: csi-provisioner 69 | # replace with non-default namespace name 70 | namespace: hostpath-provisioner 71 | roleRef: 72 | kind: ClusterRole 73 | name: crc-hostpath-external-provisioner-runner 74 | apiGroup: rbac.authorization.k8s.io 75 | 76 | --- 77 | # Provisioner must be able to work with endpoints in current namespace 78 | # if (and only if) leadership election is enabled 79 | kind: Role 80 | apiVersion: rbac.authorization.k8s.io/v1 81 | metadata: 82 | # replace with non-default namespace name 83 | namespace: hostpath-provisioner 84 | name: external-provisioner-cfg 85 | rules: 86 | # Only one of the following rules for endpoints or leases is required based on 87 | # what is set for `--leader-election-type`. Endpoints are deprecated in favor of Leases. 88 | - apiGroups: [""] 89 | resources: ["endpoints"] 90 | verbs: ["get", "watch", "list", "delete", "update", "create"] 91 | - apiGroups: ["coordination.k8s.io"] 92 | resources: ["leases"] 93 | verbs: ["get", "watch", "list", "delete", "update", "create"] 94 | # Permissions for CSIStorageCapacity are only needed enabling the publishing 95 | # of storage capacity information. 96 | - apiGroups: ["storage.k8s.io"] 97 | resources: ["csistoragecapacities"] 98 | verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] 99 | # The GET permissions below are needed for walking up the ownership chain 100 | # for CSIStorageCapacity. They are sufficient for deployment via 101 | # StatefulSet (only needs to get Pod) and Deployment (needs to get 102 | # Pod and then ReplicaSet to find the Deployment). 103 | - apiGroups: [""] 104 | resources: ["pods"] 105 | verbs: ["get"] 106 | - apiGroups: ["apps"] 107 | resources: ["replicasets"] 108 | verbs: ["get"] 109 | 110 | --- 111 | kind: RoleBinding 112 | apiVersion: rbac.authorization.k8s.io/v1 113 | metadata: 114 | name: csi-provisioner-role-cfg 115 | # replace with non-default namespace name 116 | namespace: hostpath-provisioner 117 | subjects: 118 | - kind: ServiceAccount 119 | name: csi-provisioner 120 | # replace with non-default namespace name 121 | namespace: hostpath-provisioner 122 | roleRef: 123 | kind: Role 124 | name: external-provisioner-cfg 125 | apiGroup: rbac.authorization.k8s.io 126 | -------------------------------------------------------------------------------- /config/storage/kubevirt-hostpath-security-constraints-csi.yaml: -------------------------------------------------------------------------------- 1 | kind: SecurityContextConstraints 2 | apiVersion: security.openshift.io/v1 3 | metadata: 4 | name: hostpath-provisioner 5 | allowPrivilegedContainer: true 6 | requiredDropCapabilities: 7 | - KILL 8 | - MKNOD 9 | - SETUID 10 | - SETGID 11 | runAsUser: 12 | type: RunAsAny 13 | seLinuxContext: 14 | type: RunAsAny 15 | fsGroup: 16 | type: RunAsAny 17 | supplementalGroups: 18 | type: RunAsAny 19 | allowHostDirVolumePlugin: true 20 | readOnlyRootFilesystem: false 21 | allowHostNetwork: true 22 | users: 23 | - system:serviceaccount:hostpath-provisioner:csi-hostpath-provisioner-sa 24 | -------------------------------------------------------------------------------- /config/storage/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | namespace: hostpath-provisioner 5 | 6 | images: 7 | - name: quay.io/kubevirt/hostpath-csi-driver 8 | newName: registry.redhat.io/container-native-virtualization/hostpath-csi-driver-rhel9 9 | newTag: v4.13 10 | - name: k8s.gcr.io/sig-storage/csi-node-driver-registrar 11 | newName: registry.redhat.io/openshift4/ose-csi-node-driver-registrar 12 | newTag: latest 13 | - name: k8s.gcr.io/sig-storage/livenessprobe 14 | newName: registry.redhat.io/openshift4/ose-csi-livenessprobe 15 | newTag: latest 16 | - name: k8s.gcr.io/sig-storage/csi-provisioner 17 | newName: registry.redhat.io/openshift4/ose-csi-external-provisioner 18 | newTag: latest 19 | 20 | resources: 21 | - namespace.yaml 22 | - external-provisioner-rbac.yaml 23 | - csi-driver-hostpath-provisioner.yaml 24 | - kubevirt-hostpath-security-constraints-csi.yaml 25 | - csi-driver/csi-kubevirt-hostpath-provisioner.yaml 26 | - csi-sc.yaml 27 | -------------------------------------------------------------------------------- /config/storage/namespace.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: hostpath-provisioner 5 | -------------------------------------------------------------------------------- /config/users/admin-rb.yaml: -------------------------------------------------------------------------------- 1 | kind: ClusterRoleBinding 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | metadata: 4 | name: cluster-admin-1237 5 | subjects: 6 | - kind: User 7 | apiGroup: rbac.authorization.k8s.io 8 | name: admin 9 | roleRef: 10 | apiGroup: rbac.authorization.k8s.io 11 | kind: ClusterRole 12 | name: cluster-admin 13 | -------------------------------------------------------------------------------- /config/users/htpasswd: -------------------------------------------------------------------------------- 1 | admin:$2y$05$wzN9I/lhlqYgFtZBY6fCoeGTIcDbjeDnCBW5mM9wwC2.iof2yHjZW 2 | devel:$2y$05$NewTP1IOF7c1ud6C/9CeMuMS746Bvq6MSPJx7vmXhvuVMH6WI5bJS 3 | -------------------------------------------------------------------------------- /config/users/htpasswd-cr.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: config.openshift.io/v1 2 | kind: OAuth 3 | metadata: 4 | name: cluster 5 | spec: 6 | identityProviders: 7 | - name: Demo-Users 8 | mappingMethod: claim 9 | type: HTPasswd 10 | htpasswd: 11 | fileData: 12 | name: htpass-secret -------------------------------------------------------------------------------- /config/users/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | namespace: openshift-config 4 | 5 | secretGenerator: 6 | - name: htpass-secret 7 | options: 8 | disableNameSuffixHash: true 9 | files: 10 | - htpasswd 11 | 12 | resources: 13 | - htpasswd-cr.yaml 14 | - admin-rb.yaml 15 | -------------------------------------------------------------------------------- /setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # This script sets up a single node cluster (SNC) which was created by 3 | # the Cloud Installer (https://cloud.redhat.com/openshift/assisted-installer/clusters/~new) 4 | # 5 | # First, you have to install the SNC in your network. Then you are logging into it with kubeadmin 6 | # THEN you can let this script run, which will create PVs in the VM and configures the 7 | # internal registry to use one of the PVs for storing everything. 8 | # 9 | # Please see README.MD for more details. 10 | # 11 | set -e -u -o pipefail 12 | 13 | declare HOST=192.168.2.23 # set it to your IP 14 | declare USER=core 15 | declare NUM_PVs=100 16 | declare KUBECONFIG="" 17 | declare OC=oc 18 | 19 | declare -r SCRIPT_DIR=$(cd -P $(dirname $0) && pwd) 20 | declare COMMAND="help" 21 | 22 | 23 | valid_command() { 24 | local fn=$1; shift 25 | [[ $(type -t "$fn") == "function" ]] 26 | } 27 | 28 | info() { 29 | printf "\n# INFO: $@\n" 30 | } 31 | 32 | err() { 33 | printf "\n# ERROR: $1\n" 34 | exit 1 35 | } 36 | 37 | while (( "$#" )); do 38 | case "$1" in 39 | rhdh|mesh|crc|sno|aws|monitoring|console|storage|registry|operators|ci|users|all|oauth) 40 | COMMAND=$1 41 | shift 42 | ;; 43 | -h|--host-name) 44 | HOST=$2 45 | shift 2 46 | ;; 47 | -u|--user-name) 48 | USER=$2 49 | shift 2 50 | ;; 51 | -k|--kubeconfig) 52 | KUBECONFIG=$2 53 | shift 2 54 | ;; 55 | --) 56 | shift 57 | break 58 | ;; 59 | -*|--*) 60 | err "Error: Unsupported flag $1" 61 | ;; 62 | *) 63 | break 64 | esac 65 | done 66 | 67 | 68 | command.help() { 69 | cat <<-EOF 70 | Provides some functions to make an OpenShift Single Node Cluster usable. 71 | 72 | NOTE: First, you need to install an OpenShift Single Node Cluster (CRC or SNO). Then you 73 | have to log into it using the kubeadmin credentials provided. 74 | 75 | oc login -u kubeadmin -p https://api.crc.testing:6443 76 | 77 | And THEN you can issue this script. 78 | 79 | 80 | Usage: 81 | setup.sh [command] [options] 82 | 83 | Examples: 84 | ./setup.sh storage 85 | ./setup.sh registry 86 | ./setup.sh users 87 | ./setup.sh all 88 | 89 | COMMANDS: 90 | rhdh Installs and configures Red Hat Developer Hub (requires the install of the Operator first) 91 | oauth Adds a SSO provider to OpenShift 92 | console Adds some links to the App menu and some APIs to the left menu 93 | storage Setup CSI kubevirt hostpath provisioner 94 | registry Setup internal image registry to use a PVC and accept requests 95 | operators Install gitops and pipeline operators 96 | monitoring Configure OpenShift monitoring and user monitoring 97 | ci Install Nexus and Gogs in a ci namespace 98 | users Creates two users: admin/admin123 and devel/devel 99 | mesh Installs and configures RH Service Mesh 100 | help Help about this command 101 | 102 | ENVIRONMENTS: 103 | all calls all modules 104 | sno Fresh SNO: like all, except ci 105 | aws demo.redhat.com workshop: calls console, operators and ci 106 | crc Fresh CRC: calls console, operators, 107 | 108 | OPTIONS: 109 | -k --kubeconfig kubeconfig file to be used 110 | 111 | EOF 112 | } 113 | 114 | command.oauth() { 115 | info "Setting up OAuth2 provider..." 116 | cat <<-EOF 117 | Configuring SSO OAuth2 authentication provider with OpenShift 118 | First go to https://console.developers.google.com/apis/credentials 119 | and generate a new OAuth2 client. Then take the generated Client ID 120 | and Client Secret and put them into 121 | $SCRIPT_DIR/config/oauth/client-secret.env 122 | EOF 123 | $OC apply -k $SCRIPT_DIR/config/oauth 124 | } 125 | 126 | command.rhdh() { 127 | info "Installing and configuring OpenShift Developer Hub" 128 | cat <<-EOF 129 | Please make sure, you've called the 'operators' module first to install 130 | all the necessary operators. Then have a look at the 'config/rhdh' folder 131 | to configure Developer Hub according to your needs. 132 | 133 | Copy both config/rhdh/example-*.yaml files to config/rhdh/ without the 134 | 'example' prefix and make sure they contain YOUR content. 135 | 136 | EOF 137 | $OC apply -k $SCRIPT_DIR/config/rhdh 138 | } 139 | 140 | 141 | command.mesh() { 142 | info "Configuring Red Hat OpenShift ServiceMesh operator" 143 | $OC apply -k $SCRIPT_DIR/config/mesh 144 | 145 | echo 146 | cat <<-EOF 147 | ServiceMesh should have been successfully installed and preconfigured to 148 | include a demo project (grumpycat) into the mesh. If you want to install 149 | the official bookinfo demo project for the mesh, please install it by calling 150 | 151 | $> oc apply -k $SCRIPT_DIR/config/mesh/sample 152 | EOF 153 | } 154 | 155 | command.console() { 156 | info "Configuring the OpenShift Console" 157 | $OC apply -k $SCRIPT_DIR/config/console 158 | } 159 | 160 | command.monitoring() { 161 | info "Configuring the OpenShift Monitoring and User Monitoring" 162 | $OC apply -k $SCRIPT_DIR/config/monitoring 163 | } 164 | 165 | # This command sets up the kubevirt hostpath provisioner 166 | command.storage() { 167 | info "Installing kubevirt CSI hostpath provisioner" 168 | $OC apply -k $SCRIPT_DIR/config/storage 169 | } 170 | 171 | command.registry() { 172 | info "Binding internal image registry to a persistent volume and make it manageable" 173 | # Apply registry pvc to bound with pv0001 174 | $OC apply -k $SCRIPT_DIR/config/registry 175 | } 176 | 177 | command.operators() { 178 | info "Installing a bunch of operators..." 179 | $OC apply -k $SCRIPT_DIR/config/operators/ 180 | } 181 | 182 | command.ci() { 183 | info "Initialising a CI project in OpenShift with Nexus and Gitea installed" 184 | $OC apply -k $SCRIPT_DIR/config/ci 185 | 186 | GITEA_HOST=$($OC get route gitea -o template --template="{{.spec.host}}" -n ci) 187 | sed "s/@HOSTNAME/$GITEA_HOST/g" $SCRIPT_DIR/config/ci/gitea-config.yaml | $OC create -f - -n ci 188 | 189 | $OC rollout status deployment/gitea -n ci 190 | $OC create -f $SCRIPT_DIR/config/ci/gitea-init-run.yaml -n ci 191 | 192 | } 193 | 194 | command.users() { 195 | info "Creating an admin and a developer user." 196 | $OC apply -k $SCRIPT_DIR/config/users 197 | # we want admin be cluster-admin 198 | #$OC adm policy add-cluster-role-to-user cluster-admin admin 199 | 200 | info "Please wait a while until OpenShift has updated OAuth management" 201 | } 202 | 203 | command.crc() { 204 | command.console 205 | command.operators 206 | command.ci 207 | } 208 | 209 | command.sno() { 210 | $OC apply -k $SCRIPT_DIR/config 211 | command.monitoring 212 | command.storage 213 | command.users 214 | } 215 | 216 | command.aws() { 217 | command.operators 218 | command.console 219 | command.ci 220 | command.monitoring 221 | } 222 | 223 | command.all() { 224 | $OC apply -k $SCRIPT_DIR/config 225 | command.storage 226 | command.users 227 | command.ci 228 | command.monitoring 229 | } 230 | 231 | main() { 232 | local fn="command.$COMMAND" 233 | valid_command "$fn" || { 234 | err "invalid command '$COMMAND'" 235 | } 236 | 237 | # setup OC command 238 | if [ -n "$KUBECONFIG" ]; then 239 | info "Using kubeconfig $KUBECONFIG" 240 | OC="oc --kubeconfig $KUBECONFIG" 241 | else 242 | info "Using default kubeconfig" 243 | OC="oc" 244 | fi 245 | 246 | cd "$SCRIPT_DIR" 247 | $fn 248 | return $? 249 | } 250 | 251 | main 252 | 253 | --------------------------------------------------------------------------------