diff --git a/components/configs/cluster/baremetal/base/kustomization.yaml b/components/configs/cluster/baremetal/base/kustomization.yaml index 4ea1bcca..757ec2eb 100644 --- a/components/configs/cluster/baremetal/base/kustomization.yaml +++ b/components/configs/cluster/baremetal/base/kustomization.yaml @@ -1,2 +1,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization + +commonAnnotations: + config: baremetal diff --git a/components/configs/kustomized/kata-container-example/base/kustomization.yaml b/components/configs/kustomized/kata-container-example/base/kustomization.yaml new file mode 100644 index 00000000..ae1be880 --- /dev/null +++ b/components/configs/kustomized/kata-container-example/base/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- pod-kata.yaml +- pod-normal.yaml diff --git a/components/configs/kustomized/kata-container-example/base/pod-kata.yaml b/components/configs/kustomized/kata-container-example/base/pod-kata.yaml new file mode 100644 index 00000000..75164188 --- /dev/null +++ b/components/configs/kustomized/kata-container-example/base/pod-kata.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: http-kata +spec: + containers: + - name: http + image: registry.fedoraproject.org/fedora + ports: + - containerPort: 8080 + command: + - "python3" + args: + - "-m" + - "http.server" + - "8080" + resources: {} + runtimeClassName: kata diff --git a/components/configs/kustomized/kata-container-example/base/pod-normal.yaml b/components/configs/kustomized/kata-container-example/base/pod-normal.yaml new file mode 100644 index 00000000..2dd5de0d --- /dev/null +++ b/components/configs/kustomized/kata-container-example/base/pod-normal.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: http-normal +spec: + containers: + - name: http + image: registry.fedoraproject.org/fedora + ports: + - containerPort: 8080 + command: + - "python3" + args: + - "-m" + - "http.server" + - "8080" + resources: {} diff --git a/components/configs/kustomized/kata-container-example/overlays/default/kustomization.yaml b/components/configs/kustomized/kata-container-example/overlays/default/kustomization.yaml new file mode 100644 index 00000000..2b87e6b1 --- /dev/null +++ b/components/configs/kustomized/kata-container-example/overlays/default/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- ../../base diff --git a/components/configs/kustomized/kata-container-example/overlays/with-namespace/kustomization.yaml b/components/configs/kustomized/kata-container-example/overlays/with-namespace/kustomization.yaml new file mode 100644 index 00000000..bd8f4353 --- /dev/null +++ b/components/configs/kustomized/kata-container-example/overlays/with-namespace/kustomization.yaml @@ -0,0 +1,8 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +namespace: kata-verification + +resources: +- ../../base +- namespace.yaml diff --git a/components/configs/kustomized/kata-container-example/overlays/with-namespace/namespace.yaml b/components/configs/kustomized/kata-container-example/overlays/with-namespace/namespace.yaml new file mode 100644 index 00000000..22891a97 --- /dev/null +++ b/components/configs/kustomized/kata-container-example/overlays/with-namespace/namespace.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: kata-verification + annotations: + openshift.io/display-name: "Sandboxed Containers Verification" + argocd.argoproj.io/sync-wave: "0" \ No newline at end of file diff --git a/components/operators/nfd/aggregate/overlays/kata/kustomization.yaml b/components/operators/nfd/aggregate/overlays/kata/kustomization.yaml new file mode 100644 index 00000000..4d95486b --- /dev/null +++ b/components/operators/nfd/aggregate/overlays/kata/kustomization.yaml @@ -0,0 +1,11 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +commonAnnotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true + +namespace: openshift-nfd + +resources: + - ../../../operator/overlays/stable + - ../../../instance/overlays/kata diff --git a/components/operators/nfd/instance/overlays/kata/kustomization.yaml b/components/operators/nfd/instance/overlays/kata/kustomization.yaml new file mode 100644 index 00000000..a0a718b1 --- /dev/null +++ b/components/operators/nfd/instance/overlays/kata/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ../../base + - nfd.yaml diff --git a/components/operators/nfd/instance/overlays/kata/nfd.yaml b/components/operators/nfd/instance/overlays/kata/nfd.yaml new file mode 100644 index 00000000..a5a9e5f6 --- /dev/null +++ b/components/operators/nfd/instance/overlays/kata/nfd.yaml @@ -0,0 +1,20 @@ +apiVersion: nfd.openshift.io/v1 +kind: NodeFeatureDiscovery +metadata: + name: nfd-kata + namespace: openshift-nfd +spec: + operand: + image: quay.io/openshift/origin-node-feature-discovery:4.12 + imagePullPolicy: Always + servicePort: 12000 + workerConfig: + configData: | + sources: + custom: + - name: "feature.node.kubernetes.io/runtime.kata" + matchOn: + - cpuId: ["SSE4", "VMX"] + loadedKMod: ["kvm", "kvm_intel"] + - cpuId: ["SSE4", "SVM"] + loadedKMod: ["kvm", "kvm_amd"] diff --git a/components/operators/prometheus-operator/aggregate/base/kustomization.yaml b/components/operators/prometheus-operator/aggregate/base/kustomization.yaml index 83de06a3..3ada1595 100644 --- a/components/operators/prometheus-operator/aggregate/base/kustomization.yaml +++ b/components/operators/prometheus-operator/aggregate/base/kustomization.yaml @@ -6,4 +6,4 @@ commonAnnotations: resources: - ../../operator/overlays/beta - - ../../instance/overlays/example + # - ../../instance/overlays/example diff --git a/components/operators/prometheus-operator/instance/base/kustomization.yaml b/components/operators/prometheus-operator/instance/base/kustomization.yaml index 4ea1bcca..38e4b56c 100644 --- a/components/operators/prometheus-operator/instance/base/kustomization.yaml +++ b/components/operators/prometheus-operator/instance/base/kustomization.yaml @@ -1,2 +1,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization + +commonAnnotations: + example: prometheus diff --git a/components/operators/sandboxed-containers-operator/INFO.md b/components/operators/sandboxed-containers-operator/INFO.md new file mode 100644 index 00000000..8d2a1232 --- /dev/null +++ b/components/operators/sandboxed-containers-operator/INFO.md @@ -0,0 +1,68 @@ +# sandboxed-containers-operator + +# Requirements +Your cluster must be installed on bare metal infrastructure with Red Hat Enterprise Linux CoreOS workers. + +# Details +OpenShift sandboxed containers based on the Kata Containers open source +project, provides an Open Container Initiative (OCI) compliant container +runtime using lightweight virtual machines, running your workloads in their own +isolated kernel and therefore contributing an additional layer of isolation +back to OpenShift’s Defense-in-Depth strategy. For more information +[see](https://catalog.redhat.com/software/operators/detail/5ee0d499fdbe7cddc2c91cf5). + +# Features & benefits +- **Isolated Developer Environments & Priviliges Scoping** + As a developer working on debugging an application using state-of-the-art + tooling you might need elevated privileges such as CAP_ADMIN or CAP_BPF. With + OpenShift sandboxed containers, any impact will be limited to a separate + dedicated kernel. + +- **Legacy Containerized Workload Isolation** + You are mid-way in converting a containerized monolith into cloud-native + microservices. However, the monolith still runs on your cluster unpatched and + unmaintained. OpenShift sandboxed containers helps isolate it in its own kernel + to reduce risk. + +- **Safe Multi-tenancy & Resource Sharing (CI/CD Jobs, CNFs, ..)** + If you are providing a service to multiple tenants, it could mean that the + service workloads are sharing the same resources (e.g., worker node). By + deploying in a dedicated kernel, the impact of these workloads have on one + another is greatly reduced. + +- **Additional Isolation with Native Kubernetes User Experience** + OpenShift sandboxed containers is used as a compliant OCI runtime. + Therefore, many operational patterns used with normal containers are still + preserved including but not limited to image scanning, GitOps, Imagestreams, + and so on. + +# How to install + Read the information about the Operator and click Install. + + On the Install Operator page: + + - Select preview-1.0 from the list of available Update Channel options. + This ensures that you install the version of OpenShift sandboxed containers + that is compatible with your OpenShift Container Platform version. + + - For Installed Namespace, ensure that the Operator recommended namespace + option is selected. This installs the Operator in the mandatory + openshift-sandboxed-containers-operator namespace, which is automatically + created if it does not exist. Attempting to install the OpenShift + sandboxed containers Operator in a namespace other than + openshift-sandboxed-containers-operator causes the installation to fail. + + - For Approval Strategy, ensure that Automatic, which is the default value, + is selected. OpenShift sandboxed containers automatically updates when a new + z-stream release is available. + + - Click Install to make the Operator available to the OpenShift sandboxed + containers namespace. + + - The OpenShift sandboxed containers Operator is now installed on your + cluster. You can trigger the Operator by enabling the runtime on your cluster. + You can do this by creating a KataConfig CRD instance. For this click + on "create instance" on the operator overview page. + +# Documentation +See the official documentation [here](https://docs.openshift.com/container-platform/4.8/sandboxed_containers/understanding-sandboxed-containers.html). \ No newline at end of file diff --git a/components/operators/sandboxed-containers-operator/NOTES.md b/components/operators/sandboxed-containers-operator/NOTES.md new file mode 100644 index 00000000..0f84a899 --- /dev/null +++ b/components/operators/sandboxed-containers-operator/NOTES.md @@ -0,0 +1,5 @@ +# Notes + +## Links + +- https://cloud.redhat.com/blog/openshift-sandboxed-containers-101 diff --git a/components/operators/sandboxed-containers-operator/README.md b/components/operators/sandboxed-containers-operator/README.md new file mode 100644 index 00000000..82b54d16 --- /dev/null +++ b/components/operators/sandboxed-containers-operator/README.md @@ -0,0 +1,36 @@ +# OpenShift sandboxed containers Operator + +Install OpenShift sandboxed containers Operator. + +Do not use the `base` directory directly, as you will need to patch the `channel` based on the version of OpenShift you are using, or the version of the operator you want to use. + +The current *overlays* available are for the following channels: + +* [preview-1.0](operator/overlays/preview-1.0) +* [preview-1.1](operator/overlays/preview-1.1) +* [stable](operator/overlays/stable) +* [stable-1.2](operator/overlays/stable-1.2) +* [stable-1.3](operator/overlays/stable-1.3) + +## Usage + +If you have cloned the `gitops-catalog` repository, you can install OpenShift sandboxed containers Operator based on the overlay of your choice by running from the root (`gitops-catalog`) directory. + +``` +oc apply -k sandboxed-containers-operator/operator/overlays/ +``` + +Or, without cloning: + +``` +oc apply -k https://github.com/redhat-cop/gitops-catalog/sandboxed-containers-operator/operator/overlays/ +``` + +As part of a different overlay in your own GitOps repo: + +``` +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - https://github.com/redhat-cop/gitops-catalog/sandboxed-containers-operator/operator/overlays/?ref=main +``` diff --git a/components/operators/sandboxed-containers-operator/aggregate/aws/kustomization.yaml b/components/operators/sandboxed-containers-operator/aggregate/aws/kustomization.yaml new file mode 100644 index 00000000..50e5c43a --- /dev/null +++ b/components/operators/sandboxed-containers-operator/aggregate/aws/kustomization.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +commonAnnotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true + +resources: + - ../../operator/overlays/stable + - ../../instance/overlays/aws diff --git a/components/operators/sandboxed-containers-operator/aggregate/default/kustomization.yaml b/components/operators/sandboxed-containers-operator/aggregate/default/kustomization.yaml new file mode 100644 index 00000000..84ab10e6 --- /dev/null +++ b/components/operators/sandboxed-containers-operator/aggregate/default/kustomization.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +commonAnnotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true + +resources: + - ../../operator/overlays/stable + - ../../instance/overlays/default diff --git a/components/operators/sandboxed-containers-operator/instance/base/aws/kustomization.yaml b/components/operators/sandboxed-containers-operator/instance/base/aws/kustomization.yaml new file mode 100644 index 00000000..7da5d967 --- /dev/null +++ b/components/operators/sandboxed-containers-operator/instance/base/aws/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +namespace: openshift-sandboxed-containers-operator + +resources: + - setup-machineset.yaml diff --git a/components/operators/sandboxed-containers-operator/instance/base/aws/setup-machineset.yaml b/components/operators/sandboxed-containers-operator/instance/base/aws/setup-machineset.yaml new file mode 100644 index 00000000..62ebff75 --- /dev/null +++ b/components/operators/sandboxed-containers-operator/instance/base/aws/setup-machineset.yaml @@ -0,0 +1,144 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: aws-metal-machineset-setup +rules: +- apiGroups: + - machine.openshift.io + resources: + - machinesets + verbs: + - '*' +- apiGroups: + - autoscaling.openshift.io + resources: + - machineautoscalers + verbs: + - '*' +- apiGroups: + - '' + resources: + - secrets + resourceNames: + - aws-creds + verbs: + - get + - list +# - nonResourceURLs: +# - '*' +# verbs: +# - '*' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: aws-metal-machineset-setup +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: aws-metal-machineset-setup +subjects: + - kind: ServiceAccount + name: aws-metal-machineset-setup + namespace: openshift-sandboxed-containers-operator +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: aws-metal-machineset-setup +--- +apiVersion: batch/v1 +kind: Job +metadata: + generateName: aws-metal-machineset-setup- + name: aws-metal-machineset-setup + annotations: + argocd.argoproj.io/hook: Sync + # argocd.argoproj.io/hook-delete-policy: HookSucceeded +spec: + template: + spec: + containers: + - name: aws-metal-machineset-setup + image: image-registry.openshift-image-registry.svc:5000/openshift/tools:latest + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + command: + - /bin/bash + - -c + - | + #!/usr/bin/env bash + + ocp_aws_cluster(){ + oc -n kube-system get secret/aws-creds -o name > /dev/null 2>&1 || return 1 + } + + ocp_aws_create_metal_machineset(){ + # https://aws.amazon.com/ec2/instance-types/m5zn + # m5.metal + # m5n.metal + INSTANCE_TYPE=${1:-m5zn.metal} + MACHINE_SET=$(oc -n openshift-machine-api get machinesets.machine.openshift.io -o name | grep worker | head -n1) + + # check for an existing metal machine set + if oc -n openshift-machine-api get machinesets.machine.openshift.io -o name | grep metal; then + echo "Exists: METAL machineset" + else + echo "Creating: METAL machineset" + oc -n openshift-machine-api get "${MACHINE_SET}" -o yaml | \ + sed '/machine/ s/-worker/-metal/g + /name/ s/-worker/-metal/g + s/instanceType.*/instanceType: '"${INSTANCE_TYPE}"'/ + s/replicas.*/replicas: 0/' | \ + oc apply -f - + fi + + MACHINE_SET_METAL=$(oc -n openshift-machine-api get machinesets.machine.openshift.io -o name | grep metal | head -n1) + + echo "Patching: Metal machineset" + + # cosmetic + oc -n openshift-machine-api \ + patch "${MACHINE_SET_METAL}" \ + --type=merge --patch '{"spec":{"template":{"spec":{"metadata":{"labels":{"node-role.kubernetes.io/metal":""}}}}}}' + + oc -n openshift-machine-api \ + patch "${MACHINE_SET_METAL}" \ + --type=merge --patch '{"spec":{"template":{"spec":{"providerSpec":{"value":{"instanceType":"'"${INSTANCE_TYPE}"'"}}}}}}' + } + + ocp_create_machineset_autoscale(){ + MACHINE_MIN=${1:-0} + MACHINE_MAX=${2:-4} + MACHINE_SETS=${3:-$(oc -n openshift-machine-api get machinesets.machine.openshift.io -o name | sed 's@.*/@@' )} + + for set in ${MACHINE_SETS} + do + cat << YAML | oc apply -f - + apiVersion: "autoscaling.openshift.io/v1beta1" + kind: "MachineAutoscaler" + metadata: + name: "${set}" + namespace: "openshift-machine-api" + spec: + minReplicas: ${MACHINE_MIN} + maxReplicas: ${MACHINE_MAX} + scaleTargetRef: + apiVersion: machine.openshift.io/v1beta1 + kind: MachineSet + name: "${set}" + YAML + done + } + + ocp_aws_cluster || exit 0 + ocp_aws_create_metal_machineset + + restartPolicy: Never + terminationGracePeriodSeconds: 30 + serviceAccount: aws-metal-machineset-setup + serviceAccountName: aws-metal-machineset-setup diff --git a/components/operators/sandboxed-containers-operator/instance/base/kataconfig.yaml b/components/operators/sandboxed-containers-operator/instance/base/kataconfig.yaml new file mode 100644 index 00000000..61426d85 --- /dev/null +++ b/components/operators/sandboxed-containers-operator/instance/base/kataconfig.yaml @@ -0,0 +1,9 @@ +apiVersion: kataconfiguration.openshift.io/v1 +kind: KataConfig +metadata: + name: kataconfig +spec: + checkNodeEligibility: true + enablePeerPods: false + kataConfigPoolSelector: null + logLevel: debug \ No newline at end of file diff --git a/components/operators/sandboxed-containers-operator/instance/base/kustomization.yaml b/components/operators/sandboxed-containers-operator/instance/base/kustomization.yaml new file mode 100644 index 00000000..35ab09be --- /dev/null +++ b/components/operators/sandboxed-containers-operator/instance/base/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- kataconfig.yaml diff --git a/components/operators/sandboxed-containers-operator/instance/overlays/aws/kustomization.yaml b/components/operators/sandboxed-containers-operator/instance/overlays/aws/kustomization.yaml new file mode 100644 index 00000000..880b1ce2 --- /dev/null +++ b/components/operators/sandboxed-containers-operator/instance/overlays/aws/kustomization.yaml @@ -0,0 +1,18 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ../../base + - ../../base/aws + +patches: + - target: + group: kataconfiguration.openshift.io + kind: KataConfig + patch: |- + - op: add + path: /spec/kataConfigPoolSelector + value: + matchExpressions: + - operator: Exists + key: node-role.kubernetes.io/metal diff --git a/components/operators/sandboxed-containers-operator/instance/overlays/default/kustomization.yaml b/components/operators/sandboxed-containers-operator/instance/overlays/default/kustomization.yaml new file mode 100644 index 00000000..774a422d --- /dev/null +++ b/components/operators/sandboxed-containers-operator/instance/overlays/default/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ../../base diff --git a/components/operators/sandboxed-containers-operator/operator/base/kustomization.yaml b/components/operators/sandboxed-containers-operator/operator/base/kustomization.yaml new file mode 100644 index 00000000..1e66bd5f --- /dev/null +++ b/components/operators/sandboxed-containers-operator/operator/base/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - namespace.yaml + - operator-group.yaml + - subscription.yaml diff --git a/components/operators/sandboxed-containers-operator/operator/base/namespace.yaml b/components/operators/sandboxed-containers-operator/operator/base/namespace.yaml new file mode 100644 index 00000000..247a42ba --- /dev/null +++ b/components/operators/sandboxed-containers-operator/operator/base/namespace.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Namespace +metadata: + annotations: + openshift.io/display-name: "OpenShift sandboxed containers Operator" + labels: + openshift.io/cluster-monitoring: 'true' + name: openshift-sandboxed-containers-operator diff --git a/components/operators/sandboxed-containers-operator/operator/base/operator-group.yaml b/components/operators/sandboxed-containers-operator/operator/base/operator-group.yaml new file mode 100644 index 00000000..29059eb9 --- /dev/null +++ b/components/operators/sandboxed-containers-operator/operator/base/operator-group.yaml @@ -0,0 +1,8 @@ +apiVersion: operators.coreos.com/v1 +kind: OperatorGroup +metadata: + name: sandboxed-containers-operator-group + namespace: openshift-sandboxed-containers-operator +spec: + targetNamespaces: + - openshift-sandboxed-containers-operator diff --git a/components/operators/sandboxed-containers-operator/operator/base/subscription.yaml b/components/operators/sandboxed-containers-operator/operator/base/subscription.yaml new file mode 100644 index 00000000..f2479a6c --- /dev/null +++ b/components/operators/sandboxed-containers-operator/operator/base/subscription.yaml @@ -0,0 +1,11 @@ +apiVersion: operators.coreos.com/v1alpha1 +kind: Subscription +metadata: + name: sandboxed-containers-operator + namespace: openshift-sandboxed-containers-operator +spec: + channel: patch-me-see-overlays-dir + installPlanApproval: Automatic + name: sandboxed-containers-operator + source: redhat-operators + sourceNamespace: openshift-marketplace diff --git a/components/operators/sandboxed-containers-operator/operator/overlays/preview-1.0/kustomization.yaml b/components/operators/sandboxed-containers-operator/operator/overlays/preview-1.0/kustomization.yaml new file mode 100644 index 00000000..fd8fe261 --- /dev/null +++ b/components/operators/sandboxed-containers-operator/operator/overlays/preview-1.0/kustomization.yaml @@ -0,0 +1,11 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ../../base + +patches: + - target: + kind: Subscription + name: sandboxed-containers-operator + path: patch-channel.yaml diff --git a/components/operators/sandboxed-containers-operator/operator/overlays/preview-1.0/patch-channel.yaml b/components/operators/sandboxed-containers-operator/operator/overlays/preview-1.0/patch-channel.yaml new file mode 100644 index 00000000..a520a0bb --- /dev/null +++ b/components/operators/sandboxed-containers-operator/operator/overlays/preview-1.0/patch-channel.yaml @@ -0,0 +1,3 @@ +- op: replace + path: /spec/channel + value: preview-1.0 diff --git a/components/operators/sandboxed-containers-operator/operator/overlays/preview-1.1/kustomization.yaml b/components/operators/sandboxed-containers-operator/operator/overlays/preview-1.1/kustomization.yaml new file mode 100644 index 00000000..fd8fe261 --- /dev/null +++ b/components/operators/sandboxed-containers-operator/operator/overlays/preview-1.1/kustomization.yaml @@ -0,0 +1,11 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ../../base + +patches: + - target: + kind: Subscription + name: sandboxed-containers-operator + path: patch-channel.yaml diff --git a/components/operators/sandboxed-containers-operator/operator/overlays/preview-1.1/patch-channel.yaml b/components/operators/sandboxed-containers-operator/operator/overlays/preview-1.1/patch-channel.yaml new file mode 100644 index 00000000..18301a95 --- /dev/null +++ b/components/operators/sandboxed-containers-operator/operator/overlays/preview-1.1/patch-channel.yaml @@ -0,0 +1,3 @@ +- op: replace + path: /spec/channel + value: preview-1.1 diff --git a/components/operators/sandboxed-containers-operator/operator/overlays/stable-1.2/kustomization.yaml b/components/operators/sandboxed-containers-operator/operator/overlays/stable-1.2/kustomization.yaml new file mode 100644 index 00000000..fd8fe261 --- /dev/null +++ b/components/operators/sandboxed-containers-operator/operator/overlays/stable-1.2/kustomization.yaml @@ -0,0 +1,11 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ../../base + +patches: + - target: + kind: Subscription + name: sandboxed-containers-operator + path: patch-channel.yaml diff --git a/components/operators/sandboxed-containers-operator/operator/overlays/stable-1.2/patch-channel.yaml b/components/operators/sandboxed-containers-operator/operator/overlays/stable-1.2/patch-channel.yaml new file mode 100644 index 00000000..ea083d36 --- /dev/null +++ b/components/operators/sandboxed-containers-operator/operator/overlays/stable-1.2/patch-channel.yaml @@ -0,0 +1,3 @@ +- op: replace + path: /spec/channel + value: stable-1.2 diff --git a/components/operators/sandboxed-containers-operator/operator/overlays/stable-1.3/kustomization.yaml b/components/operators/sandboxed-containers-operator/operator/overlays/stable-1.3/kustomization.yaml new file mode 100644 index 00000000..fd8fe261 --- /dev/null +++ b/components/operators/sandboxed-containers-operator/operator/overlays/stable-1.3/kustomization.yaml @@ -0,0 +1,11 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ../../base + +patches: + - target: + kind: Subscription + name: sandboxed-containers-operator + path: patch-channel.yaml diff --git a/components/operators/sandboxed-containers-operator/operator/overlays/stable-1.3/patch-channel.yaml b/components/operators/sandboxed-containers-operator/operator/overlays/stable-1.3/patch-channel.yaml new file mode 100644 index 00000000..c788d4e1 --- /dev/null +++ b/components/operators/sandboxed-containers-operator/operator/overlays/stable-1.3/patch-channel.yaml @@ -0,0 +1,3 @@ +- op: replace + path: /spec/channel + value: stable-1.3 diff --git a/components/operators/sandboxed-containers-operator/operator/overlays/stable/kustomization.yaml b/components/operators/sandboxed-containers-operator/operator/overlays/stable/kustomization.yaml new file mode 100644 index 00000000..fd8fe261 --- /dev/null +++ b/components/operators/sandboxed-containers-operator/operator/overlays/stable/kustomization.yaml @@ -0,0 +1,11 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ../../base + +patches: + - target: + kind: Subscription + name: sandboxed-containers-operator + path: patch-channel.yaml diff --git a/components/operators/sandboxed-containers-operator/operator/overlays/stable/patch-channel.yaml b/components/operators/sandboxed-containers-operator/operator/overlays/stable/patch-channel.yaml new file mode 100644 index 00000000..6642eb17 --- /dev/null +++ b/components/operators/sandboxed-containers-operator/operator/overlays/stable/patch-channel.yaml @@ -0,0 +1,3 @@ +- op: replace + path: /spec/channel + value: stable diff --git a/docs/TODO.md b/docs/TODO.md index a1ff4580..7b4de1db 100644 --- a/docs/TODO.md +++ b/docs/TODO.md @@ -8,3 +8,4 @@ - [ ] Review: https://github.com/argoproj/argocd-example-apps/blob/master/plugins/kustomized-helm/README.md - [ ] Review: https://kubectl.docs.kubernetes.io/references/kustomize/builtins/#_helmchartinflationgenerator - [ ] Review: AWS user security. Limit access to the OCP provisioner account (reassign `Administrator' role to something limited) +- [ ] simplify / make generic machineset creation function diff --git a/scripts/library/ocp.sh b/scripts/library/ocp.sh index 7667ece5..e826ca25 100644 --- a/scripts/library/ocp.sh +++ b/scripts/library/ocp.sh @@ -69,6 +69,40 @@ ocp_aws_cluster_autoscaling(){ ocp_scale_machineset 1 "${WORKER_MS}" } +ocp_aws_create_metal_machineset(){ + # https://aws.amazon.com/ec2/instance-types/m5zn + # m5.metal + # m5n.metal + INSTANCE_TYPE=${1:-m5zn.metal} + MACHINE_SET=$(oc -n openshift-machine-api get machinesets.machine.openshift.io -o name | grep worker | head -n1) + + # check for an existing metal machine set + if oc -n openshift-machine-api get machinesets.machine.openshift.io -o name | grep metal; then + echo "Exists: METAL machineset" + else + echo "Creating: METAL machineset" + oc -n openshift-machine-api get "${MACHINE_SET}" -o yaml | \ + sed '/machine/ s/-worker/-metal/g + /name/ s/-worker/-metal/g + s/instanceType.*/instanceType: '"${INSTANCE_TYPE}"'/ + s/replicas.*/replicas: 0/' | \ + oc apply -f - + fi + + MACHINE_SET_METAL=$(oc -n openshift-machine-api get machinesets.machine.openshift.io -o name | grep metal | head -n1) + + echo "Patching: Metal machineset" + + # cosmetic + oc -n openshift-machine-api \ + patch "${MACHINE_SET_METAL}" \ + --type=merge --patch '{"spec":{"template":{"spec":{"metadata":{"labels":{"node-role.kubernetes.io/metal":""}}}}}}' + + oc -n openshift-machine-api \ + patch "${MACHINE_SET_METAL}" \ + --type=merge --patch '{"spec":{"template":{"spec":{"providerSpec":{"value":{"instanceType":"'"${INSTANCE_TYPE}"'"}}}}}}' +} + ocp_aws_create_gpu_machineset(){ # https://aws.amazon.com/ec2/instance-types/g4 # single gpu: g4dn.{2,4,8,16}xlarge