diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index 8490918c..f937c076 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -4,5 +4,5 @@ Description of changes: - - -Output of `argocd app list` command or screenshot of the ArgoCD Application synchronization window showing successful application of changes in this branch. +Output of `argocd app list` command or screenshot of the Argo CD Application synchronization window showing successful application of changes in this branch. diff --git a/config/argocd-rhacm/templates/0200-rhacm-cloudpaks-app.yaml b/config/argocd-rhacm/templates/0200-rhacm-cloudpaks-app.yaml index 4d7ab1ee..d233fb63 100644 --- a/config/argocd-rhacm/templates/0200-rhacm-cloudpaks-app.yaml +++ b/config/argocd-rhacm/templates/0200-rhacm-cloudpaks-app.yaml @@ -9,7 +9,7 @@ metadata: namespace: {{.Values.metadata.argocd_namespace}} spec: destination: - namespace: open-cluster-management + namespace: {{.Values.metadata.argocd_namespace}} server: https://kubernetes.default.svc ignoreDifferences: - group: argoproj.io diff --git a/config/rhacm/cloudpaks/templates/placement-gitops-policy.yaml b/config/rhacm/cloudpaks/templates/placement-gitops-policy.yaml new file mode 100644 index 00000000..209bdc07 --- /dev/null +++ b/config/rhacm/cloudpaks/templates/placement-gitops-policy.yaml @@ -0,0 +1,36 @@ +{{- $argocd_namespace := .Values.metadata.argocd_namespace -}} +{{- range tuple "cp4a" "cp4aiops" "cp4d" "cp4i" "cp4s" }} +--- +apiVersion: apps.open-cluster-management.io/v1 +kind: PlacementRule +metadata: + annotations: + argocd.argoproj.io/sync-wave: "200" + name: placement-openshift-gitops-entitlement-key-{{.}} + namespace: "{{ $argocd_namespace }}" +spec: + clusterConditions: + - status: 'True' + type: ManagedClusterConditionAvailable + clusterSelector: + matchExpressions: + - key: {{.}} + operator: Exists + values: [] +--- +apiVersion: policy.open-cluster-management.io/v1 +kind: PlacementBinding +metadata: + annotations: + argocd.argoproj.io/sync-wave: "300" + name: binding-openshift-gitops-entitlement-key-{{.}} + namespace: "{{ $argocd_namespace }}" +placementRef: + name: placement-openshift-gitops-entitlement-key-{{.}} + kind: PlacementRule + apiGroup: apps.open-cluster-management.io +subjects: + - name: cloudpak-entitlement-key + kind: Policy + apiGroup: policy.open-cluster-management.io +{{- end }} diff --git a/config/rhacm/cloudpaks/templates/policy-cpwaiops.yaml b/config/rhacm/cloudpaks/templates/policy-cp4aiops.yaml similarity index 100% rename from config/rhacm/cloudpaks/templates/policy-cpwaiops.yaml rename to config/rhacm/cloudpaks/templates/policy-cp4aiops.yaml diff --git a/config/rhacm/cloudpaks/templates/policy-entitlement-key.yaml b/config/rhacm/cloudpaks/templates/policy-entitlement-key.yaml new file mode 100644 index 00000000..6ed22b59 --- /dev/null +++ b/config/rhacm/cloudpaks/templates/policy-entitlement-key.yaml @@ -0,0 +1,41 @@ +--- +apiVersion: policy.open-cluster-management.io/v1 +kind: Policy +metadata: + name: cloudpak-entitlement-key + namespace: "{{ .Values.argocd_namespace }}" + annotations: + argocd.argoproj.io/compare-options: IgnoreExtraneous + argocd.argoproj.io/sync-options: SkipPrune + argocd.argoproj.io/sync-wave: "200" + policy.open-cluster-management.io/categories: CM Configuration Management + policy.open-cluster-management.io/controls: CM-2 Baseline Configuration + policy.open-cluster-management.io/standards: NIST SP 800-53 +spec: + disabled: false + policy-templates: + - objectDefinition: + apiVersion: policy.open-cluster-management.io/v1 + kind: ConfigurationPolicy + metadata: + name: policy-entkey + spec: + namespaceSelector: + exclude: + - kube-* + include: + - default + object-templates: + - complianceType: musthave + objectDefinition: + apiVersion: v1 + data: + .dockerconfigjson: '{{ "{{hub fromSecret \"openshift-gitops\" \"ibm-entitlement-key\" \".dockerconfigjson\" hub}}" }}' + kind: Secret + metadata: + name: ibm-entitlement-key + namespace: openshift-gitops + type: kubernetes.io/dockerconfigjson + remediationAction: inform + severity: low + remediationAction: enforce diff --git a/config/rhacm/seeds/templates/0020-argocd-roles.yaml b/config/rhacm/seeds/templates/0020-argocd-roles.yaml index 38950165..b38ad0bf 100644 --- a/config/rhacm/seeds/templates/0020-argocd-roles.yaml +++ b/config/rhacm/seeds/templates/0020-argocd-roles.yaml @@ -19,6 +19,24 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role +metadata: + annotations: + argocd.argoproj.io/sync-wave: "21" + creationTimestamp: null + name: argocd-rhacm-role + namespace: "{{.Values.metadata.argocd_namespace}}" +rules: + - apiGroups: + - apps.open-cluster-management.io + - operator.open-cluster-management.io + - policy.open-cluster-management.io + resources: + - "*" + verbs: + - "*" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role metadata: annotations: argocd.argoproj.io/sync-wave: "21" diff --git a/config/rhacm/seeds/templates/0030-argocd-role-bindings.yaml b/config/rhacm/seeds/templates/0030-argocd-role-bindings.yaml index 7bae59d9..b72b11aa 100644 --- a/config/rhacm/seeds/templates/0030-argocd-role-bindings.yaml +++ b/config/rhacm/seeds/templates/0030-argocd-role-bindings.yaml @@ -18,6 +18,23 @@ subjects: --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding +metadata: + annotations: + argocd.argoproj.io/sync-wave: "30" + creationTimestamp: null + name: argocd-rhacm-binding + namespace: "{{.Values.metadata.argocd_namespace}}" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: argocd-rhacm-role +subjects: + - kind: ServiceAccount + name: "{{.Values.serviceaccount.argocd_application_controller}}" + namespace: "{{.Values.metadata.argocd_namespace}}" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding metadata: annotations: argocd.argoproj.io/sync-wave: "30" diff --git a/config/rhacm/seeds/templates/0200-gitops-managed-cluster-set.yaml b/config/rhacm/seeds/templates/0200-gitops-managed-cluster-set.yaml index 1984b388..a38d96e1 100644 --- a/config/rhacm/seeds/templates/0200-gitops-managed-cluster-set.yaml +++ b/config/rhacm/seeds/templates/0200-gitops-managed-cluster-set.yaml @@ -1,4 +1,4 @@ -# https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.7/html/applications/managing-applications#gitops-config +# https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.8/html/applications/managing-applications#gitops-config --- apiVersion: cluster.open-cluster-management.io/v1beta2 kind: ManagedClusterSet diff --git a/config/rhacm/seeds/templates/9000-post-multi-cluster-engine.yaml b/config/rhacm/seeds/templates/9000-post-multi-cluster-engine.yaml index 3a8dac2e..1d5902a2 100644 --- a/config/rhacm/seeds/templates/9000-post-multi-cluster-engine.yaml +++ b/config/rhacm/seeds/templates/9000-post-multi-cluster-engine.yaml @@ -1,4 +1,4 @@ -# https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.7/html-single/clusters/index#hosting-service-cluster-configure-aws +# https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.8/html-single/clusters/index#hosting-service-cluster-configure-aws --- apiVersion: batch/v1 kind: Job diff --git a/docs/install.md b/docs/install.md index 37a733b0..d81c174b 100644 --- a/docs/install.md +++ b/docs/install.md @@ -26,7 +26,7 @@ ## Prerequisites -- An OpenShift Container Platform cluster, version 4.8 or later. +- An OpenShift Container Platform cluster, version 4.12 or later. The applications were tested on both managed and self-managed deployments. @@ -61,7 +61,7 @@ ```sh oc version --client - # Client Version: 4.10.60 + # Client Version: 4.12.47 ``` Ideally, the client's minor version should be at most one iteration behind the server version. Most commands here are pretty basic and will work with more significant differences, but keep that in mind if you see errors about unrecognized commands and parameters. @@ -155,7 +155,7 @@ oc create secret docker-registry ibm-entitlement-key \ --docker-server=cp.icr.io \ --docker-username=cp \ --docker-password="${IBM_ENTITLEMENT_KEY:?}" \ - --docker-email="non-existent-replace-with0-yours@email.com" \ + --docker-email="non-existent-replace-with-yours@email.com" \ --namespace=openshift-gitops ``` @@ -380,7 +380,7 @@ After completing the list of activities listed in the previous sections, you can argocd app list -l app.kubernetes.io/instance=${app_name} ``` -1. You can also use the ArgoCD command-line interface to wait for the application to be synchronized and healthy: +1. You can also use the Argo CD command-line interface to wait for the application to be synchronized and healthy: ```sh argocd app wait "${app_name}" \ diff --git a/docs/rhacm.md b/docs/rhacm.md index cb330bfc..920bcdb6 100644 --- a/docs/rhacm.md +++ b/docs/rhacm.md @@ -5,8 +5,12 @@ - [Red Hat Advanced Cluster Management for Kubernetes](#red-hat-advanced-cluster-management-for-kubernetes) - [Contents](#contents) - [Overview](#overview) + - [Prerequisites](#prerequisites) - [Installation](#installation) - - [Install RHACM on OCP cluster via Argo](#install-rhacm-on-ocp-cluster-via-argo) + - [Install the OpenShift GitOps operator](#install-the-openshift-gitops-operator) + - [Install RHACM on OCP cluster via Argo CD](#install-rhacm-on-ocp-cluster-via-argo-cd) + - [Obtain an entitlement key](#obtain-an-entitlement-key) + - [Update the pull secret in the openshift-gitops namespace](#update-the-pull-secret-in-the-openshift-gitops-namespace) - [Using the policies](#using-the-policies) - [Policies](#policies) - [Label your clusters](#label-your-clusters) @@ -23,10 +27,29 @@ Red Hat Advanced Cluster Management for Kubernetes (referred to as RHACM through This repository contains governance policies and placement rules for Argo CD itself and the Argo CD Application resources representing the Cloud Paks. +--- + +## Prerequisites + +- An OpenShift Container Platform cluster, version 4.12 or later. + + The applications were tested on both managed and self-managed deployments. + +- Adequate worker node capacity in the cluster for RHACM to be installed. + + Refer to the [RHACM documentation](https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.8/html/install/installing#sizing-your-cluster) to determine the required capacity for the cluster. + +- [An entitlement key to the IBM Entitled Registry](#obtain-an-entitlement-key). This key is required in the RHACM cluster so it can be copied over to the managed clusters when a cluster matches a policy to install a Cloud Pak. + +--- + ## Installation +### Install the OpenShift GitOps operator -### Install RHACM on OCP cluster via Argo +Follow the instructions in the [Red Hat OpenShift GitOps Installation page](https://docs.openshift.com/gitops/1.8/installing_gitops/installing-openshift-gitops.html) with special care to **use the `gitops-1.8` subscription channel instead of `latest`** (at least, until issue [#289](https://github.com/IBM/cloudpak-gitops/issues/289) is addressed.) + +### Install RHACM on OCP cluster via Argo CD These steps assume you logged in to the OCP server with the `oc` command-line interface: @@ -71,6 +94,44 @@ These steps assume you logged in to the OCP server with the `oc` command-line in --health ``` +## Obtain an entitlement key + +If you don't already have an entitlement key to the IBM Entitled Registry, obtain your key using the following instructions: + +1. Go to the [Container software library](https://myibm.ibm.com/products-services/containerlibrary). + +1. Click the "Copy key." + +1. Copy the entitlement key to a safe place to update the cluster's global pull secret. + +1. (Optional) Verify the validity of the key by logging in to the IBM Entitled Registry using a container tool: + + ```sh + export IBM_ENTITLEMENT_KEY=the key from the previous steps + podman login cp.icr.io --username cp --password "${IBM_ENTITLEMENT_KEY:?}" + ``` + +--- + +## Update the pull secret in the openshift-gitops namespace + +Global pull secrets require granting too much privilege to the OpenShift GitOps service account, so we have started transitioning to the definition of pull secrets at a namespace level. + +The Application resources are transitioning to use `PreSync` hooks to copy the entitlement key from a `Secret` named `ibm-entitlement-key` in the `openshift-gitops` namespace, so issue the following command to create that secret: + +```sh +# Note that if you just created the OpenShift GitOps operator +# the namespace may not be ready yet, so you may need to wait +# a minute or two +oc create secret docker-registry ibm-entitlement-key \ + --docker-server=cp.icr.io \ + --docker-username=cp \ + --docker-password="${IBM_ENTITLEMENT_KEY:?}" \ + --docker-email="non-existent-replace-with-yours@email.com" \ + --namespace=openshift-gitops +``` + +--- ## Using the policies @@ -96,32 +157,32 @@ Labels: - `gitops-branch` + `cp4i`: Placement for Cloud Pak for Integration. - `gitops-branch` + `cp4s`: Placement for Cloud Pak for Security. - `gitops-branch` + `cp4aiops`: Placement for Cloud Pak for AIOps. -- `gitops-remote` + `true`: Assign cluster to the `gitops-cluster` cluster-set, registering it to the [GitOps Cluster](https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.7/html/applications/managing-applications#gitops-config). +- `gitops-remote` + `true`: Assign cluster to the `gitops-cluster` cluster-set, registering it to the [GitOps Cluster](https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.8/html/applications/managing-applications#gitops-config). Values for each label: - `gitops-branch`: Branch of this repo for the Argo applications. Unless you are developing and testing on a new branch, use the default value `main`. -- cp4a: Namespace for deploying the Cloud Pak. Unless you want multiple Cloud Paks in different namespaces of the cluster, use the default value `ibm-cloudpaks`. -- `cp4aiops`: Namespace for deploying the Cloud Pak. Unless you want multiple Cloud Paks in different namespaces of the cluster, use the default value `ibm-cloudpaks`. -- `cp4d`: Namespace for deploying the Cloud Pak. As of release 4.0.6, and as a product limitation, do not use the same namespace as other Cloud Paks if installing Cloud Pak for Data to the same cluster. -- `cp4i`: Namespace for deploying the Cloud Pak. Unless you want multiple Cloud Paks in different namespaces of the cluster, use the default value `ibm-cloudpaks`. -- `cp4s`: Namespace for deploying the Cloud Pak. Unless you want multiple Cloud Paks in different namespaces of the cluster, use the default value `ibm-cloudpaks`. +- cp4a: Namespace for deploying the Cloud Pak. +- `cp4aiops`: Namespace for deploying the Cloud Pak. +- `cp4d`: Namespace for deploying the Cloud Pak. +- `cp4i`: Namespace for deploying the Cloud Pak. +- `cp4s`: Namespace for deploying the Cloud Pak. ### Examples -Labeling an OCP cluster with `gitops-branch=main` and `cp4i=ibm-cloudpaks` deploys the following policies to a target cluster: +Labeling an OCP cluster with `gitops-branch=main` and `cp4i=cp4ins` deploys the following policies to a target cluster: - `openshift-gitops-installed` - `openshift-gitops-argo-app` - `openshift-gitops-cloudpaks-cp-shared` - `openshift-gitops-cloudpaks-cp4i` -Labeling an OCP cluster with `gitops-branch=main` and `cp4i=ibm-cloudpaks` deploys the following policies to a target cluster: +Labeling an OCP cluster with `gitops-branch=main` and `cp4i=cp4ins` deploys the following policies to a target cluster: - `openshift-gitops-installed`: The latest version of the OpenShift GitOps operator. - `openshift-gitops-argo-app`: The Argo configuration is pulled from the `main` branch of this repository. -`openshift-gitops-cloudpaks-cp-shared`: The Argo configuration is pulled from this repository's `main` branch. -- `openshift-gitops-cloudpaks-cp4i`: The Cloud Pak is deployed to the namespace `ibm-cloudpaks` +- `openshift-gitops-cloudpaks-cp-shared`: The Argo configuration is pulled from this repository's `main` branch. +- `openshift-gitops-cloudpaks-cp4i`: The Cloud Pak is deployed to the namespace `cp4ins` ## The "rhacm-users" group @@ -137,6 +198,7 @@ Once you have the respective users added to the cluster, you can add them to the oc adm groups add-users rhacm-users "${username:?}" ``` +--- ## Contributing @@ -146,6 +208,8 @@ If using OpenShift GitOps installed in the RHACM server, you need to modify the The instructions for that setup are documented in the [CONTRIBUTING.md](../CONTRIBUTING.md) page, where you need to ensure you use the `rhacm-app` application name as the parameter for the `argocd app set` commands. +--- + ## References - [Announcement of RHACM and GitOps integration](https://cloud.redhat.com/blog/red-hat-advanced-cluster-management-with-openshift-gitops) diff --git a/tests/prebuild/yamllint-config.yaml b/tests/prebuild/yamllint-config.yaml index fb3011e1..4de351d4 100644 --- a/tests/prebuild/yamllint-config.yaml +++ b/tests/prebuild/yamllint-config.yaml @@ -16,6 +16,7 @@ ignore: | config/rhacm/cloudpaks/templates/placement-argocd.yaml config/rhacm/cloudpaks/templates/placement-cloudpaks.yaml config/rhacm/cloudpaks/templates/placement-cp-shared.yaml + config/rhacm/cloudpaks/templates/placement-gitops-policy.yaml config/rhacm/seeds/templates/0000-namespace-multi-cluster-engine.yaml config/rhacm/seeds/templates/0020-rhacm-hypershift-preview-roles.yaml