diff --git a/docs/cluster-configuration.md b/docs/cluster-configuration.md index a5a63d6f1..11a73cd45 100644 --- a/docs/cluster-configuration.md +++ b/docs/cluster-configuration.md @@ -1,11 +1,24 @@ # Cluster Configuration ## Preparation -TO DO +For a proper cluster configuration, the ACM PolicyGenerator CRs have to be prepared in git. +The namespace of the parent policies will be `ztp-` (see [here](./samples/git-setup/policytemplates/version_4.Y.Z/sno-ran-du/ns.yaml)). This is generally created through ArgoCD and Kustomize. + +The source-crs need to be extracted. + +For details about setting up the Git repo, please refer to the the Gitops setup [README.md](./samples/git-setup/README.md). + +**Note:** Make sure all the value used in hub templates in the PGs are exposed in the corresponding ClusterTemplate, under `spec.templateParameterSchema.policyTemplateParameters` and are present either in the `spec.templates.policyTemplateDefaults` ConfigMap or are specified through the ProvisioningRequest (`spec.templateParameters.policyTemplateParameters`). ## Initial install and configuration TO DO +## Full DU profile +For configuring an SNO with a full DU profile according to the [4.17 RAN RDS](https://docs.openshift.com/container-platform/4.17/scalability_and_performance/telco_ref_design_specs/ran/telco-ran-ref-du-crs.html), the following main samples can be used as a starting example: +* [ClusterInstance defaults ConfigMap](./samples/git-setup/clustertemplates/version_4.Y.Z/sno-ran-du/clusterinstance-defaults-v5-full-DU.yaml) +* [PolicyTemplate defaults ConfigMap](./samples/git-setup/clustertemplates/version_4.Y.Z/sno-ran-du/policytemplates-defaults-v3-full-DU.yaml) +* [ClusterTemplate](./samples/git-setup/clustertemplates/version_4.Y.Z/sno-ran-du/sno-ran-du-v4-Y-Z-5-full-DU.yaml) +* [ACM Policy Generator](./samples/git-setup/policytemplates/version_4.Y.Z/sno-ran-du/sno-ran-du-pg-v4-Y-Z-v4.yaml) ## Day 2 configuration ### Updates to the clusterInstanceParameters field under ProvisioningRequest spec.templateParameters diff --git a/docs/samples/git-setup/clustertemplates/version_4.Y.Z/kustomization.yaml b/docs/samples/git-setup/clustertemplates/version_4.Y.Z/kustomization.yaml index e9978c107..9e6ab447e 100644 --- a/docs/samples/git-setup/clustertemplates/version_4.Y.Z/kustomization.yaml +++ b/docs/samples/git-setup/clustertemplates/version_4.Y.Z/kustomization.yaml @@ -24,5 +24,12 @@ resources: # sno-ran-du.v4-Y-Z-4 ClusterTemplate: - sno-ran-du/sno-ran-du-v4-Y-Z-4.yaml - sno-ran-du/clusterinstance-defaults-v4.yaml +- sno-ran-du/policytemplates-defaults-v2.yaml # sno-ran-du.v4-Y-Z-1-no-hwtemplate ClusterTemplate: - sno-ran-du/sno-ran-du-v4-Y-Z-1-no-hwtemplate.yaml +# sno-ran-du.v4-Y-Z-5 ClusterTemplate: +- sno-ran-du/sno-ran-du-v4-Y-Z-5-full-DU.yaml +# sno-ran-du.v4-Y-Z-6 ClusterTemplate: +- sno-ran-du/sno-ran-du-v4-Y-Z-6-full-DU.yaml +- sno-ran-du/clusterinstance-defaults-v5-full-DU.yaml +- sno-ran-du/policytemplates-defaults-v3-full-DU.yaml diff --git a/docs/samples/git-setup/clustertemplates/version_4.Y.Z/sno-ran-du/clusterinstance-defaults-v5-full-DU.yaml b/docs/samples/git-setup/clustertemplates/version_4.Y.Z/sno-ran-du/clusterinstance-defaults-v5-full-DU.yaml new file mode 100644 index 000000000..dea7695b0 --- /dev/null +++ b/docs/samples/git-setup/clustertemplates/version_4.Y.Z/sno-ran-du/clusterinstance-defaults-v5-full-DU.yaml @@ -0,0 +1,77 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: clusterinstance-defaults-v5 + namespace: sno-ran-du-v4-Y-Z +data: + # clusterProvisioningTimeout is optional. + # The value should be a duration string + # (e.g., "80m" for 80 minutes) + clusterProvisioningTimeout: "80m" + clusterinstance-defaults: | + baseDomain: example.com + extraLabels: + ManagedCluster: + cluster-version: "v4-Y-Z" + sno-ran-du-policy: "v4" + extraAnnotations: + ManagedCluster: + test-annotation: test + clusterType: SNO + clusterImageSetNameRef: "4.Y.Z" + pullSecretRef: + name: pull-secret + networkType: OVNKubernetes + sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDTca4Qyu5AYBmZbSl74cNTKuNINJ7d+ceBRzKUrhHcQpMbl8UnAYhjh/ffTyVCsgwzm1RjTAm6/tPj9euEa+YX4U78Sx+ioLHmjDvACYsti4DekIR+opFwfIw+JTDXoyVv06lOPaTOa/vtgpe+gDEL364j47f3p9H/tGhsLmpjeG3DVAhbqSh3s0IHpd4OzF/r6g6mbPyHadvedkBZp/qeUX054Gc2QqJeg/s/eddPlQDJbmL8yRVkZu+SsFTOEOAtrdA3czeaEaA8s+aWP9PN3X539Ddw3qahyOSCXpCE2eJXPh8DJCBWVEcFFYgmIFVvCQ+o9cjEmIYg6drGGvRV + installConfigOverrides: '{"capabilities": {"baselineCapabilitySet": "None", "additionalEnabledCapabilities": ["NodeTuning", "OperatorLifecycleManager", "Ingress"]}}' + ignitionConfigOverride: '{"ignition": {"version": "3.2.0"}, "storage": {"files": [{"overwrite": true, "path": "/etc/containers/policy.json", "contents": {"source":"data:text/plain;base64,ewogICAgImRlZmF1bHQiOiBbCiAgICAgICAgewogICAgICAgICAgICAidHlwZSI6ICJpbnNlY3VyZUFjY2VwdEFueXRoaW5nIgogICAgICAgIH0KICAgIF0sCiAgICAidHJhbnNwb3J0cyI6CiAgICAgICAgewogICAgICAgICAgICAiZG9ja2VyLWRhZW1vbiI6CiAgICAgICAgICAgICAgICB7CiAgICAgICAgICAgICAgICAgICAgIiI6IFt7InR5cGUiOiJpbnNlY3VyZUFjY2VwdEFueXRoaW5nIn1dCiAgICAgICAgICAgICAgICB9CiAgICAgICAgfQp9Cgo="}}]}}' + clusterNetwork: + - cidr: 203.0.113.0/24 + hostPrefix: 23 + machineNetwork: + - cidr: 192.0.2.0/24 + serviceNetwork: + - cidr: 233.252.0.0/24 + additionalNTPSources: + - 1.pool.ntp.org + templateRefs: + - name: ai-cluster-templates-v1 + namespace: siteconfig-operator + cpuPartitioningMode: AllNodes + extraManifestsRefs: + - name: clustertemplate-sample.v1.0.0-extramanifests + nodes: + - role: master + bootMode: UEFI + nodeNetwork: + interfaces: + - name: eno1 + label: bootable-interface + - name: eth0 + label: base-interface + - name: eth1 + label: data-interface + config: + routes: + config: + - destination: 0.0.0.0/0 + next-hop-interface: eno1 + table-id: 254 + interfaces: + - ipv6: + enabled: false + ipv4: + enabled: true + name: eno1 + state: up + type: ethernet + - ipv6: + enabled: false + ipv4: + enabled: false + name: bond99 + state: up + type: bond + templateRefs: + - name: ai-node-templates-v1 + namespace: siteconfig-operator diff --git a/docs/samples/git-setup/clustertemplates/version_4.Y.Z/sno-ran-du/policytemplates-defaults-v3-full-DU.yaml b/docs/samples/git-setup/clustertemplates/version_4.Y.Z/sno-ran-du/policytemplates-defaults-v3-full-DU.yaml new file mode 100644 index 000000000..9239230df --- /dev/null +++ b/docs/samples/git-setup/clustertemplates/version_4.Y.Z/sno-ran-du/policytemplates-defaults-v3-full-DU.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: policytemplate-defaults-v3 + namespace: sno-ran-du-v4-Y-Z +data: + # clusterConfigurationTimeout is optional. + # The value should be a duration string + # (e.g., "40m" for 40 minutes) + clusterConfigurationTimeout: "40m" + policytemplate-defaults: | + cluster-log-fwd-filters: '[{"name":"test-labels", "type": "openshiftLabels", "openshiftLabels": {"label1": "test1", "label2": "test2"}}]' + cluster-log-fwd-outputs: '[{"type":"kafka","name":"kafka-open", "kafka": {"url":"tcp://10.46.55.190:9092/test"}}]' + cluster-log-fwd-pipelines: '[{"name":"all-to-default","inputRefs":["audit","infrastructure"],"outputRefs":["kafka-open"], "filterRefs":["test-labels"]}]' + cpu-isolated: 0-1,64-65 + cpu-reserved: 2-10 + hugepages-count: "32" + hugepages-default: 1G + hugepages-size: 1G + machine-config-storage-source-1: /etc/crio/crio.conf.d/01-workload-partitioning + machine-config-storage-source-2: /etc/kubernetes/openshift-workload-pinning + oadp-s3url: http://s3storage.example.com:9000 + ptpcfgslave-profile-interface: ens15f1 + sriov-fec-bbDevConfig: '{"acc100": {"pfMode": false, "numVfBundles": 16, "maxQueueSize": 1024, "uplink5G": {"numQueueGroups": 4, "numAqsPerGroups": 16, "aqDepthLog2": 4}, "downlink5G": {"numQueueGroups": 4, "numAqsPerGroups": 1, "aqDepthLog2": 4}, "uplink4G": {"numQueueGroups": 0, "numAqsPerGroups": 1, "aqDepthLog2": 4}, "downlink4G": {"numQueueGroups": 0, "numAqsPerGroups": 1, "aqDepthLog2": 4}}}' + sriov-fec-pciAddress: 0000:b4:00.1 + sriov-fec-pfDriver: pci-pf-stub + sriov-fec-vfDriver: vfio-pci + sriov-network-pfNames-1: '["ens4f1"]' + sriov-network-pfNames-2: '["ens4f2"]' + sriov-network-vlan-1: "114" + sriov-network-vlan-2: "111" + storage-lv-devicePaths-1: /dev/disk/by-path/pci-0000:62:00.0-scsi-0:2:8:0 + install-plan-approval: Automatic diff --git a/docs/samples/git-setup/clustertemplates/version_4.Y.Z/sno-ran-du/sno-ran-du-v4-Y-Z-6-full-DU.yaml b/docs/samples/git-setup/clustertemplates/version_4.Y.Z/sno-ran-du/sno-ran-du-v4-Y-Z-6-full-DU.yaml new file mode 100644 index 000000000..f47b90f37 --- /dev/null +++ b/docs/samples/git-setup/clustertemplates/version_4.Y.Z/sno-ran-du/sno-ran-du-v4-Y-Z-6-full-DU.yaml @@ -0,0 +1,313 @@ +apiVersion: o2ims.provisioning.oran.org/v1alpha1 +kind: ClusterTemplate +metadata: + name: sno-ran-du.v4-Y-Z-6 + namespace: sno-ran-du-v4-Y-Z +spec: + name: sno-ran-du + version: v4-Y-Z-6 + templates: + hwTemplate: placeholder-du-template-configmap-v1 + clusterInstanceDefaults: clusterinstance-defaults-v5 + policyTemplateDefaults: policytemplate-defaults-v3 + templateParameterSchema: + properties: + nodeClusterName: + type: string + oCloudSiteId: + type: string + policyTemplateParameters: + description: policyTemplateSchema defines the available parameters for cluster configuration + properties: + cluster-log-fwd-filters: + type: string + cluster-log-fwd-outputs: + type: string + cluster-log-fwd-pipelines: + type: string + sriov-fec-bbDevConfig: + type: string + sriov-fec-pciAddress: + type: string + sriov-fec-pfDriver: + type: string + sriov-fec-vfDriver: + type: string + sriov-network-vlan-1: + type: string + sriov-network-vlan-2: + type: string + sriov-network-pfNames-1: + type: string + sriov-network-pfNames-2: + type: string + cpu-isolated: + type: string + cpu-reserved: + type: string + hugepages-default: + type: string + hugepages-size: + type: string + hugepages-count: + type: string + machine-config-storage-source-1: + type: string + machine-config-storage-source-2: + type: string + oadp-s3url: + type: string + storage-lv-devicePaths-1: + type: string + ptpcfgslave-profile-interface: + type: string + install-plan-approval: + type: string + type: object + clusterInstanceParameters: + description: clusterInstanceParameters defines the available parameters for cluster provisioning + properties: + additionalNTPSources: + description: AdditionalNTPSources is a list of NTP sources (hostname + or IP) to be added to all cluster hosts. They are added to any NTP + sources that were configured through other means. + items: + type: string + type: array + apiVIPs: + description: APIVIPs are the virtual IPs used to reach the OpenShift + cluster's API. Enter one IP address for single-stack clusters, or + up to two for dual-stack clusters (at most one IP address per IP + stack used). The order of stacks should be the same as order of + subnets in Cluster Networks, Service Networks, and Machine Networks. + items: + type: string + maxItems: 2 + type: array + baseDomain: + description: BaseDomain is the base domain to use for the deployed + cluster. + type: string + clusterName: + description: ClusterName is the name of the cluster. + type: string + extraAnnotations: + additionalProperties: + additionalProperties: + type: string + type: object + description: Additional cluster-wide annotations to be applied to + the rendered templates + type: object + extraLabels: + additionalProperties: + additionalProperties: + type: string + type: object + description: Additional cluster-wide labels to be applied to the rendered + templates + type: object + ingressVIPs: + description: IngressVIPs are the virtual IPs used for cluster ingress + traffic. Enter one IP address for single-stack clusters, or up to + two for dual-stack clusters (at most one IP address per IP stack + used). The order of stacks should be the same as order of subnets + in Cluster Networks, Service Networks, and Machine Networks. + items: + type: string + maxItems: 2 + type: array + machineNetwork: + description: MachineNetwork is the list of IP address pools for machines. + items: + description: MachineNetworkEntry is a single IP address block for + node IP blocks. + properties: + cidr: + description: CIDR is the IP block address pool for machines + within the cluster. + type: string + required: + - cidr + type: object + type: array + nodes: + items: + description: NodeSpec + properties: + bmcAddress: + description: BmcAddress holds the URL for accessing the controller + on the network. + type: string + bmcCredentialsName: + description: BmcCredentialsName is the name of the secret containing + the BMC credentials (requires keys "username" and "password"). + properties: + name: + type: string + required: + - name + type: object + bmcCredentialsDetails: + description: A workaround to provide bmc creds through ClusterRequest + properties: + username: + type: string + password: + type: string + bootMACAddress: + description: Which MAC address will PXE boot? This is optional + for some types, but required for libvirt VMs driven by vbmc. + pattern: '[0-9a-fA-F]{2}(:[0-9a-fA-F]{2}){5}' + type: string + extraAnnotations: + additionalProperties: + additionalProperties: + type: string + type: object + description: Additional node-level annotations to be applied + to the rendered templates + type: object + extraLabels: + additionalProperties: + additionalProperties: + type: string + type: object + description: Additional node-level labels to be applied to the + rendered templates + type: object + hostName: + description: Hostname is the desired hostname for the host + type: string + nodeLabels: + additionalProperties: + type: string + description: NodeLabels allows the specification of custom roles + for your nodes in your managed clusters. These are additional + roles are not used by any OpenShift Container Platform components, + only by the user. When you add a custom role, it can be associated + with a custom machine config pool that references a specific + configuration for that role. Adding custom labels or roles + during installation makes the deployment process more effective + and prevents the need for additional reboots after the installation + is complete. + type: object + nodeNetwork: + description: NodeNetwork is a set of configurations pertaining + to the network settings for the node. + properties: + config: + description: yaml that can be processed by nmstate, using + custom marshaling/unmarshaling that will allow to populate + nmstate config as plain yaml. + type: object + x-kubernetes-preserve-unknown-fields: true + interfaces: + description: Interfaces is an array of interface objects + containing the name and MAC address for interfaces that + are referenced in the raw nmstate config YAML. Interfaces + listed here will be automatically renamed in the nmstate + config YAML to match the real device name that is observed + to have the corresponding MAC address. At least one interface + must be listed so that it can be used to identify the + correct host, which is done by matching any MAC address + in this list to any MAC address observed on the host. + items: + properties: + macAddress: + description: mac address present on the host. + pattern: ^([0-9A-Fa-f]{2}[:]){5}([0-9A-Fa-f]{2})$ + type: string + name: + description: 'nic name used in the yaml, which relates + 1:1 to the mac address. Name in REST API: logicalNICName' + type: string + required: + - macAddress + type: object + minItems: 1 + type: array + type: object + rootDeviceHints: + description: 'RootDeviceHints specifies the device for deployment. + Identifiers that are stable across reboots are recommended, + for example, wwn: or deviceName: /dev/disk/by-path/' + properties: + deviceName: + description: A Linux device name like "/dev/vda", or a by-path + link to it like "/dev/disk/by-path/pci-0000:01:00.0-scsi-0:2:0:0". + The hint must match the actual value exactly. + type: string + hctl: + description: A SCSI bus address like 0:0:0:0. The hint must + match the actual value exactly. + type: string + minSizeGigabytes: + description: The minimum size of the device in Gigabytes. + minimum: 0 + type: integer + model: + description: A vendor-specific device identifier. The hint + can be a substring of the actual value. + type: string + rotational: + description: True if the device should use spinning media, + false otherwise. + type: boolean + serialNumber: + description: Device serial number. The hint must match the + actual value exactly. + type: string + vendor: + description: The name of the vendor or manufacturer of the + device. The hint can be a substring of the actual value. + type: string + wwn: + description: Unique storage identifier. The hint must match + the actual value exactly. + type: string + wwnVendorExtension: + description: Unique vendor storage identifier. The hint + must match the actual value exactly. + type: string + wwnWithExtension: + description: Unique storage identifier with the vendor extension + appended. The hint must match the actual value exactly. + type: string + type: object + required: + - hostName + type: object + type: array + serviceNetwork: + description: ServiceNetwork is the list of IP address pools for services. + items: + description: ServiceNetworkEntry is a single IP address block for + node IP blocks. + properties: + cidr: + description: CIDR is the IP block address pool for machines + within the cluster. + type: string + required: + - cidr + type: object + type: array + sshPublicKey: + description: SSHPublicKey is the public Secure Shell (SSH) key to + provide access to instances. This key will be added to the host + to allow ssh access + type: string + required: + - clusterName + - nodes + type: object + +# Notes: +# clusterInstanceParameters contains only params that are exposed to the ProvisioningRequest. +# +# When HW is ready, bmcAddress, bmcCredentialsName, bootMACAddress and nodes.nodeNetwork.macAddress +# should be removed from the schema as they are supposed to come from HW. +# +# Ideally, rootDeviceHints should come from default configmap. Keep it in the schema to make this template +# be able to used for multiple SNOs with different rootDeviceHints. diff --git a/docs/samples/git-setup/policytemplates/version_4.Y.Z/kustomization.yaml b/docs/samples/git-setup/policytemplates/version_4.Y.Z/kustomization.yaml index 1b084602f..92efc0209 100644 --- a/docs/samples/git-setup/policytemplates/version_4.Y.Z/kustomization.yaml +++ b/docs/samples/git-setup/policytemplates/version_4.Y.Z/kustomization.yaml @@ -2,7 +2,8 @@ generators: - sno-ran-du/sno-ran-du-pg-v4-Y-Z-v1.yaml # This ACM PG is needed when the previous one has to be updated. - sno-ran-du/sno-ran-du-pg-v4-Y-Z-v2.yaml - +- sno-ran-du/sno-ran-du-pg-v4-Y-Z-v3.yaml +- sno-ran-du/sno-ran-du-pg-v4-Y-Z-v4-full-DU.yaml resources: - sno-ran-du/ns.yaml diff --git a/docs/samples/git-setup/policytemplates/version_4.Y.Z/sno-ran-du/sno-ran-du-pg-v4-Y-Z-v4-full-DU.yaml b/docs/samples/git-setup/policytemplates/version_4.Y.Z/sno-ran-du/sno-ran-du-pg-v4-Y-Z-v4-full-DU.yaml new file mode 100644 index 000000000..e049c50d5 --- /dev/null +++ b/docs/samples/git-setup/policytemplates/version_4.Y.Z/sno-ran-du/sno-ran-du-pg-v4-Y-Z-v4-full-DU.yaml @@ -0,0 +1,376 @@ +apiVersion: policy.open-cluster-management.io/v1 +kind: PolicyGenerator +metadata: + name: sno-ran-du-pg-v4-Y-Z-v4 +policyDefaults: + namespace: ztp-sno-ran-du-v4-Y-Z + # Use an existing placement rule so that placement bindings can be consolidated + placement: + # These labels must match the labels set for the ManagedCluster either through the ProvisioningRequest + # or the ClusterInstance ConfigMap. + labelSelector: + cluster-version: "v4-Y-Z" + sno-ran-du-policy: "v4" + remediationAction: enforce + severity: low + namespaceSelector: + exclude: + - kube-* + include: + - '*' + evaluationInterval: + compliant: 5m + noncompliant: 10s + orderPolicies: true +policies: +# REDUCE FOOTPRINT +- name: v4-footprint-policy + manifests: + # Do not add retention field for prometheusK8s when observability is enabled. + # It will be overridden by OBS. + - path: source-crs/ReduceMonitoringFootprint.yaml + patches: + - data: + config.yaml: | + alertmanagerMain: + enabled: false + telemeterClient: + enabled: false +# CATALOG SOURCE +- name: v4-catalog-source-policy + manifests: + - path: source-crs/DefaultCatsrc.yaml + patches: + - metadata: + name: redhat-operators + spec: + displayName: redhat-operators + image: registry.redhat.io/redhat/redhat-operator-index:v4.Y + - path: source-crs/DefaultCatsrc.yaml + patches: + - metadata: + name: certified-operators + spec: + displayName: certified-operators + image: registry.redhat.io/redhat/certified-operator-index:v4.Y +# SUBSCRIPTIONS +- name: v4-subscriptions-policy + manifests: + # Cluster Logging operator + - path: source-crs/ClusterLogNS.yaml + - path: source-crs/ClusterLogOperGroup.yaml + - path: source-crs/ClusterLogSubscription.yaml + patches: + - spec: + source: redhat-operators + installPlanApproval: + '{{hub $configMap:=(lookup "v1" "ConfigMap" "" (printf "%s-pg" .ManagedClusterName)) hub}}{{hub dig "data" "install-plan-approval" "Manual" $configMap hub}}' + - path: source-crs/ClusterLogOperatorStatus.yaml + - path: source-crs/ClusterLogServiceAccount.yaml + - path: source-crs/ClusterLogServiceAccountAuditBinding.yaml + - path: source-crs/ClusterLogServiceAccountInfrastructureBinding.yaml + # PTP operator + - path: source-crs/PtpSubscriptionNS.yaml + - path: source-crs/PtpSubscription.yaml + patches: + - spec: + source: redhat-operators + installPlanApproval: + '{{hub $configMap:=(lookup "v1" "ConfigMap" "" (printf "%s-pg" .ManagedClusterName)) hub}}{{hub or (index $configMap.data "install-plan-approval") "Manual" hub}}' + - path: source-crs/PtpSubscriptionOperGroup.yaml + - path: source-crs/PtpOperatorStatus.yaml + # SRIOV operator + - path: source-crs/SriovSubscriptionNS.yaml + - path: source-crs/SriovSubscriptionOperGroup.yaml + - path: source-crs/SriovSubscription.yaml + patches: + - spec: + source: redhat-operators + installPlanApproval: + '{{hub $configMap:=(lookup "v1" "ConfigMap" "" (printf "%s-pg" .ManagedClusterName)) hub}}{{hub dig "data" "install-plan-approval" "Manual" $configMap hub}}' + - path: source-crs/SriovOperatorStatus.yaml + # SRIOV Accelerator + - path: source-crs/AcceleratorsNS.yaml + - path: source-crs/AcceleratorsOperGroup.yaml + - path: source-crs/AcceleratorsSubscription.yaml + patches: + - spec: + channel: "stable" + source: certified-operators + installPlanApproval: + '{{hub $configMap:=(lookup "v1" "ConfigMap" "" (printf "%s-pg" .ManagedClusterName)) hub}}{{hub dig "data" "install-plan-approval" "Automatic" $configMap hub}}' + - path: source-crs/AcceleratorsOperatorStatus.yaml + # LCA + - path: source-crs/LcaSubscriptionNS.yaml + - path: source-crs/LcaSubscriptionOperGroup.yaml + - path: source-crs/LcaSubscription.yaml + patches: + - spec: + source: redhat-operators + installPlanApproval: + '{{hub $configMap:=(lookup "v1" "ConfigMap" "" (printf "%s-pg" .ManagedClusterName)) hub}}{{hub dig "data" "install-plan-approval" "Manual" $configMap hub}}' + - path: source-crs/LcaSubscriptionOperGroup.yaml + # OADP + - path: source-crs/OadpSubscriptionNS.yaml + - path: source-crs/OadpSubscriptionOperGroup.yaml + - path: source-crs/OadpSubscription.yaml + patches: + - spec: + source: redhat-operators + installPlanApproval: + '{{hub $configMap:=(lookup "v1" "ConfigMap" "" (printf "%s-pg" .ManagedClusterName)) hub}}{{hub dig "data" "install-plan-approval" "Manual" $configMap hub}}' + - path: source-crs/OadpOperatorStatus.yaml + # Local storage operator + - path: source-crs/StorageNS.yaml + - path: source-crs/StorageOperGroup.yaml + - path: source-crs/StorageSubscription.yaml + patches: + - spec: + source: redhat-operators + installPlanApproval: + '{{hub $configMap:=(lookup "v1" "ConfigMap" "" (printf "%s-pg" .ManagedClusterName)) hub}}{{hub dig "data" "install-plan-approval" "Manual" $configMap hub}}' + - path: source-crs/StorageOperatorStatus.yaml +# CONFIGURATION POLICY +- name: v4-config-policy + manifests: + - path: source-crs/DisableOLMPprof.yaml + - path: source-crs/DisableSnoNetworkDiag.yaml + # PERFORMANCE PROFILE + - path: source-crs/PerformanceProfile-SetSelector.yaml + patches: + - metadata: + name: openshift-node-performance-profile + spec: + additionalKernelArgs: + - rcupdate.rcu_normal_after_boot=0 + - vfio_pci.enable_sriov=1 + - vfio_pci.disable_idle_d3=1 + - efi=runtime + cpu: + # These must be tailored for the specific hardware platform + isolated: '{{hub fromConfigMap "" (printf "%s-pg" .ManagedClusterName) "cpu-isolated" hub}}' + reserved: '{{hub fromConfigMap "" (printf "%s-pg" .ManagedClusterName) "cpu-reserved" hub}}' + hugepages: + defaultHugepagesSize: '{{hub fromConfigMap "" (printf "%s-pg" .ManagedClusterName) "hugepages-default" hub}}' + pages: + - size: '{{hub fromConfigMap "" (printf "%s-pg" .ManagedClusterName) "hugepages-size" hub}}' + count: '{{hub fromConfigMap "" (printf "%s-pg" .ManagedClusterName) "hugepages-count" | toInt hub}}' + realTimeKernel: + enabled: true + machineConfigPoolSelector: + pools.operator.machineconfiguration.openshift.io/master: "" + nodeSelector: + node-role.kubernetes.io/master: '' + # PTP CONFIG + - path: source-crs/PtpOperatorConfig-SetSelector.yaml + complianceType: "mustonlyhave" + patches: + - spec: + daemonNodeSelector: + node-role.kubernetes.io/worker: "" + - path: source-crs/PtpConfigSlave.yaml + openapi: + path: sno-ran-du/schema.openapi + patches: + - metadata: + name: du-ptp-slave + spec: + profile: + - interface: '{{hub fromConfigMap "" (printf "%s-pg" .ManagedClusterName) "ptpcfgslave-profile-interface" hub}}' + name: slave + phc2sysOpts: -a -r -n 24 + ptp4lOpts: -2 -s --summary_interval -4 + recommend: + - match: + - nodeLabel: node-role.kubernetes.io/master + priority: 4 + profile: slave + # SRIOV OPERATOR CONFIG + - path: source-crs/SriovOperatorConfig-SetSelector.yaml + complianceType: musthave + patches: + - spec: + configDaemonNodeSelector: + node-role.kubernetes.io/master: "" + disableDrain: true + logLevel: 0 + # LOCAL STORAGE CONFIG + - path: source-crs/StorageLV.yaml + patches: + - spec: + storageClassDevices: + - storageClassName: "example-storage-class-1" + volumeMode: Filesystem + fsType: xfs + devicePaths: '{{hub fromConfigMap "" (printf "%s-pg" .ManagedClusterName) "storagelv-devicePaths-1" | toLiteral hub}}' + - path: source-crs/StorageClass.yaml + patches: + - metadata: + name: example-storage-class-2 + # CLUSTER LOGGING + - path: source-crs/ClusterLogForwarder.yaml + patches: + - spec: + $patch: replace + outputs: '{{hub fromConfigMap "" (printf "%s-pg" .ManagedClusterName) "cluster-log-fwd-outputs" | toLiteral hub}}' + pipelines: '{{hub fromConfigMap "" (printf "%s-pg" .ManagedClusterName) "cluster-log-fwd-pipelines" | toLiteral hub}}' + filters: '{{hub fromConfigMap "" (printf "%s-pg" .ManagedClusterName) "cluster-log-fwd-filters" | toLiteral hub}}' + serviceAccount: + name: collector + # TUNED CONFIG + - path: source-crs/TunedPerformancePatch.yaml + patches: + - spec: + recommend: + - machineConfigLabels: + machineconfiguration.openshift.io/role: master + priority: 19 + profile: performance-patchh + profile: + - name: performance-patch + data: | + [main] + summary=Configuration changes profile inherited from performance created tuned + include=openshift-node-performance-openshift-node-performance-profile + [bootloader] + cmdline_crash=-tsc=nowatchdog + cmdline_crash1=tsc=reliable + [sysctl] + kernel.timer_migration=1 + kernel.sysrq=1 + kernel.panic_on_rcu_stall=1 + kernel.hung_task_panic=1 + [scheduler] + group.ice-ptp=0:f:10:*:ice-ptp.* + group.ice-gnss=0:f:10:*:ice-gnss.* + [service] + service.stalld=start,enable + service.chronyd=stop,disable + # MACHINE CONFIG + - path: source-crs/MachineConfigGeneric.yaml + complianceType: mustonlyhave # This is to update array entry as opposed to appending a new entry. + patches: + - metadata: + name: 02-master-workload-partitioning + spec: + config: + storage: + files: + - contents: + # crio cpuset config goes below. This value needs to be updated and matched with PerformanceProfile. Check the link for more info on the content. + source: '{{hub fromConfigMap "" (printf "%s-pg" .ManagedClusterName) "machine-config-storage-source-1" hub}}' + mode: 420 + overwrite: true + path: /etc/crio/crio.conf.d/01-workload-partitioning + user: + name: root + - contents: + # openshift cpuset config goes below. This value needs to be updated and matched with crio cpuset (array entry above this). Check the link for more info on the content. + source: '{{hub fromConfigMap "" (printf "%s-pg" .ManagedClusterName) "machine-config-storage-source-2" hub}}' + mode: 420 + overwrite: true + path: /etc/kubernetes/openshift-workload-pinning + user: + name: root +- name: v4-sriov-config-policy + manifests: + # SRIOV + - path: source-crs/SriovNetwork.yaml + patches: + - metadata: + name: sriov-nw-du-fh + spec: + resourceName: du_fh + vlan: '{{hub fromConfigMap "" (printf "%s-pg" .ManagedClusterName) "sriov-network-vlan-1" | toInt hub}}' + - path: source-crs/SriovNetworkNodePolicy-SetSelector.yaml + patches: + - metadata: + name: "sriov-nnp-du-fh" + spec: + deviceType: netdevice + isRdma: false + nicSelector: + pfNames: '{{hub fromConfigMap "" (printf "%s-pg" .ManagedClusterName) "sriov-network-pfNames-1" | toLiteral hub}}' + nodeSelector: + node-role.kubernetes.io/master: "" + numVfs: 8 + priority: 10 + resourceName: du_fh + - path: source-crs/SriovNetwork.yaml + patches: + - metadata: + name: sriov-nw-du-mh + spec: + resourceName: du_mh + vlan: '{{hub fromConfigMap "" (printf "%s-pg" .ManagedClusterName) "sriov-network-vlan-2" | toInt hub}}' + - path: source-crs/SriovNetworkNodePolicy-SetSelector.yaml + patches: + - metadata: + name: "sriov-nnp-du-mh" + spec: + deviceType: vfio-pci + isRdma: false + nicSelector: + pfNames: '{{hub fromConfigMap "" (printf "%s-pg" .ManagedClusterName) "sriov-network-pfNames-2" | toLiteral hub}}' + nodeSelector: + node-role.kubernetes.io/master: "" + numVfs: 8 + priority: 10 + resourceName: du_mh + # FEC + - path: source-crs/SriovFecClusterConfig.yaml + patches: + - metadata: + name: fec-config + spec: + drainSkip: true + nodeSelector: + $patch: replace + node-role.kubernetes.io/master: "" + acceleratorSelector: + pciAddress: '{{hub fromConfigMap "" (printf "%s-pg" .ManagedClusterName) "sriov-fec-pciAddress" | toLiteral hub}}' + physicalFunction: + pfDriver: '{{hub fromConfigMap "" (printf "%s-pg" .ManagedClusterName) "sriov-fec-pfDriver" | toLiteral hub}}' + vfDriver: '{{hub fromConfigMap "" (printf "%s-pg" .ManagedClusterName) "sriov-fec-vfDriver" | toLiteral hub}}' + vfAmount: 16 + bbDevConfig: '{{hub fromConfigMap "" (printf "%s-pg" .ManagedClusterName) "sriov-fec-bbDevConfig" | toLiteral hub}}' + $patch: replace +# DU VALIDATOR +- name: v4-du-validator-policy + remediationAction: inform + # This policy is not re-evaluated after it becomes + # compliant to reduce resource usage. + evaluationInterval: + compliant: never + noncompliant: 10s + manifests: + - path: source-crs/validatorCRs/informDuValidatorMaster.yaml +# OADP (Optional) +#- name: v4-oadp-config-policy +# policyAnnotations: +# ran.openshift.io/ztp-deploy-wave: "100" +# manifests: +# - path: source-crs/OadpSecret.yaml +# patches: +# - data: +# cloud: W2RlZmF1bHRdCmF3c19hY2Nlc3Nfa2V5X2lkPVdicktaSFpFOXZGWEVFemo2RU12CmF3c19zZWNyZXRfYWNjZXNzX2tleT1RRDNmRVZMNzVsOWJpSWswYW9PdlRSc2diN01ZRUlnZmF5bzVzRnlmCg== +# - path: source-crs/OadpDataProtectionApplication.yaml +# patches: +# - spec: +# backupLocations: +# - velero: +# provider: aws +# default: true +# credential: +# key: cloud +# name: cloud-credentials +# config: +# profile: "default" +# region: minio +# s3Url: '{{hub fromConfigMap "" (printf "%s-pg" .ManagedClusterName) "oadp-s3url" hub}}' +# insecureSkipTLSVerify: "true" +# s3ForcePathStyle: "true" +# objectStorage: +# bucket: ibu +# prefix: '{{hub .ManagedClusterName hub}}' +# - path: source-crs/OadpBackupStorageLocationStatus.yaml