From 5b06330302ddf6da8dbbfc134055d4b5891955fa Mon Sep 17 00:00:00 2001 From: Mateus Caruccio Date: Wed, 31 Jul 2024 02:20:26 +0100 Subject: [PATCH] [okd] working monitoring + x509-exporter --- .../local/bin/x509-exporter-config-builder.sh | 169 ++++++----- .../helmrelease-cert-manager-config.yaml.tpl | 2 +- .../base/helmrelease-x509-exporter.yaml.tpl | 78 +---- .../base-helmrelease-teleport-agent.yaml.tpl | 103 +++++++ .../base-helmrelease-x509-exporter.yaml.tpl | 128 ++++++++ .../provider/base-helmrepository.yaml | 280 ++++++++++++++++++ .../provider/helmrelease-cert-manager.yaml | 13 - .../manifests/provider/kustomization.yaml.tpl | 7 +- ...adp.yaml.tpl => subscription-adp.yaml.tpl} | 0 .../provider/subscription-cert-manager.yaml | 12 + 10 files changed, 618 insertions(+), 174 deletions(-) create mode 100644 templates/okd/manifests/provider/base-helmrelease-teleport-agent.yaml.tpl create mode 100644 templates/okd/manifests/provider/base-helmrelease-x509-exporter.yaml.tpl create mode 100644 templates/okd/manifests/provider/base-helmrepository.yaml delete mode 100644 templates/okd/manifests/provider/helmrelease-cert-manager.yaml rename templates/okd/manifests/provider/{openshift-adp.yaml.tpl => subscription-adp.yaml.tpl} (100%) create mode 100644 templates/okd/manifests/provider/subscription-cert-manager.yaml diff --git a/root/usr/local/bin/x509-exporter-config-builder.sh b/root/usr/local/bin/x509-exporter-config-builder.sh index 14858494..bd23d7d6 100644 --- a/root/usr/local/bin/x509-exporter-config-builder.sh +++ b/root/usr/local/bin/x509-exporter-config-builder.sh @@ -1,97 +1,96 @@ -if [ $# -ne 1 ]; then - echo "Usage: $0 [cp|node]" - exit 1 -fi - -SEARCH_DIRS_CRT_CP=( - /etc/kubernetes/pki - /etc/kubernetes/ssl +#!/bin/bash - /etc/kubernetes/static-pod-resources/etcd-certs/secrets/etcd-all-certs - /etc/kubernetes/static-pod-resources/etcd-certs/configmaps - /etc/kubernetes/static-pod-resources/etcd-certs/configmaps/etcd-peer-client-ca - /etc/kubernetes/static-pod-resources/etcd-certs/configmaps/etcd-serving-ca - - /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/aggregator-client - /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/check-endpoints-client-cert-key - /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/control-plane-node-admin-client-cert-key - /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/external-loadbalancer-serving-certkey - /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/internal-loadbalancer-serving-certkey - /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/kubelet-client - /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/localhost-serving-cert-certkey - /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/service-network-serving-certkey - /etc/kubernetes/static-pod-resources/kube-apiserver-certs/configmaps/aggregator-client-ca - /etc/kubernetes/static-pod-resources/kube-apiserver-certs/configmaps/client-ca - # /etc/kubernetes/static-pod-resources/kube-apiserver-certs/configmaps/trusted-ca-bundle - /etc/kubernetes/static-pod-resources/kube-apiserver-certs/ - - /etc/kubernetes/static-pod-resources/kube-controller-manager-certs/secrets/csr-signer - /etc/kubernetes/static-pod-resources/kube-controller-manager-certs/secrets/kube-controller-manager-client-cert-key - /etc/kubernetes/static-pod-resources/kube-controller-manager-certs/configmaps/aggregator-client-ca - /etc/kubernetes/static-pod-resources/kube-controller-manager-certs/configmaps/client-ca - # /etc/kubernetes/static-pod-resources/kube-controller-manager-certs/configmaps/trusted-ca-bundle - - /etc/kubernetes/static-pod-resources/kube-scheduler-certs/secrets/kube-scheduler-client-cert-key -) +declare -A CERTS=() +declare -A CONFS=() -SEARCH_DIRS_CRT_NODE=( - /var/lib/kubelet/pki - /var/lib/kubelet/ssl +OKD_ROOT_DIR=/etc/kubernetes/static-pod-resources +CERTS_DIRS=( + /etc/kubernetes /etc/kubernetes/pki /etc/kubernetes/ssl + /var/lib/kubelet/pki/kubelet-client-current.pem + /var/lib/kubelet/pki/kubelet-server-current.pem ) +PODS_DIRS=() -SEARCH_DIRS_KUBECFG=( +if [ -d "$OKD_ROOT_DIR" ]; then + CERTS_DIR+=( + $OKD_ROOT_DIR/configmaps + $OKD_ROOT_DIR/etcd-certs + $OKD_ROOT_DIR/kube-apiserver-certs + $OKD_ROOT_DIR/kube-controller-manager-certs + $OKD_ROOT_DIR/kube-scheduler-certs + ) + for name in etcd kube-apiserver kube-controller-manager kube-scheduler; do + current_no=$(printf "%s\n" $OKD_ROOT_DIR/${name}-pod-*/ | awk -F- '{print $NF}' | sort -n | tail -n 1) + pod_dir="$OKD_ROOT_DIR/${name}-pod-$current_no" + + if ! [ -d "$pod_dir" ]; then + continue + fi + PODS_DIRS+=( "$pod_dir" ) + done +fi + +CERTS_DIRS+=( ${PODS_DIRS[*]} ) + +for name in ${CERTS_DIRS[*]}; do + certs=( $(find -L $name -type f -regextype egrep -regex '.*\.(crt|cert|pem)$' -exec grep -q '^-----BEGIN CERTIFICATE-----' {} \; -print 2>/dev/null) ) + + if [ ${#certs[*]} -eq 0 ]; then + continue + fi + + for cert in ${certs[*]}; do + hash=$(md5sum "$cert" | cut -f 1 -d ' ') + CERTS["$hash"]="$cert" + done +done + +CONFIG_DIRS=( /etc/kubernetes - /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs - /etc/kubernetes/static-pod-resources/kube-apiserver-certs/configmaps/check-endpoints-kubeconfig - /etc/kubernetes/static-pod-resources/kube-apiserver-certs/configmaps/control-plane-node-kubeconfig + /var/lib/kubelet ) -if [ $1 == cp ]; then -cat </dev/null -done | sort -u | sed -e 's/^/ /' -echo -echo ' watchKubeconfFiles:' -for dir in ${SEARCH_DIRS_KUBECFG[@]}; do - find ${dir} -maxdepth 1 -type f -regextype egrep -regex '.*(kubeconfig|kubelet.conf|controller-manager.conf|scheduler.conf|admin.conf)$' -printf "- %p\n" 2>/dev/null -done | sort -u | sed -e 's/^/ /' - - -elif [ $1 == node ]; then -cat </dev/null -done | sort -u | sed -e 's/^/ /' -echo -echo ' watchKubeconfFiles:' -for dir in ${SEARCH_DIRS_KUBECFG[@]}; do - find ${dir} -maxdepth 1 -type f -regextype egrep -regex '.*(kubeconfig|kubelet.conf)$' -printf "- %p\n" 2>/dev/null -done | sort -u | sed -e 's/^/ /' +for name in ${CONFIG_DIRS[*]}; do + confs=( $(find -L $name -maxdepth 1 -type f -exec grep -qE '^(kind: Config|contexts:|clusters:)$' {} \; -print 2>/dev/null) ) + + if [ ${#confs[*]} -eq 0 ]; then + continue + fi + + for conf in ${confs[*]}; do + hash=$(md5sum "$conf" | cut -f 1 -d ' ') + CONFS["$hash"]="$conf" + done +done + +if [ ${#PODS_DIRS[*]} -gt 0 ]; then + for name in ${PODS_DIRS[*]}; do + confs=( $(find -L $name -type f -exec grep -qE '^(kind: Config|contexts:|clusters:)$' {} \; -print 2>/dev/null) ) + if [ ${#confs[*]} -eq 0 ]; then + continue + fi + + for conf in ${confs[*]}; do + hash=$(md5sum "$conf" | cut -f 1 -d ' ') + CONFS["$hash"]="$conf" + done + done +fi + +echo 'watchFiles:' +if [ ${#CERTS[*]} -gt 0 ]; then + printf -- "- %s\n" ${CERTS[@]} | sort -u +else + echo "[]" +fi + +echo +echo 'watchKubeconfFiles:' +if [ ${#CONFS[*]} -gt 0 ]; then + printf -- "- %s\n" ${CONFS[@]} | sort -u else - echo "Usage: $0 [cp|node]" - exit 1 + echo "[]" fi diff --git a/templates/manifests/base/helmrelease-cert-manager-config.yaml.tpl b/templates/manifests/base/helmrelease-cert-manager-config.yaml.tpl index 25d00cc2..91b7fa6e 100644 --- a/templates/manifests/base/helmrelease-cert-manager-config.yaml.tpl +++ b/templates/manifests/base/helmrelease-cert-manager-config.yaml.tpl @@ -29,7 +29,7 @@ spec: targetNamespace: cert-manager values: acme_email: ${ modules.cert-manager-config.acme_email } - ingress_class: ${ modules.cert-manager-config.ingress_class } + ingress_class: ${ cluster_type == "okd" ? "openshift-default" : modules.cert-manager-config.ingress_class } cluster_issuer_selfsigned: enabled: true diff --git a/templates/manifests/base/helmrelease-x509-exporter.yaml.tpl b/templates/manifests/base/helmrelease-x509-exporter.yaml.tpl index 492e5059..9e7e4353 100644 --- a/templates/manifests/base/helmrelease-x509-exporter.yaml.tpl +++ b/templates/manifests/base/helmrelease-x509-exporter.yaml.tpl @@ -68,6 +68,13 @@ spec: storageNamespace: x509-exporter targetNamespace: x509-exporter releaseName: x509-exporter + valuesFrom: + - kind: ConfigMap + name: host-paths-exporter-values-controlplane + optional: true + - kind: ConfigMap + name: host-paths-exporter-values-node + optional: true values: # Monitors certificates from node's filesystem # https://github.com/enix/x509-certificate-exporter/tree/main/deploy/charts/x509-certificate-exporter#metrics-for-node-certificates-hostpath @@ -88,77 +95,6 @@ spec: user: system_u %{~ endif } - daemonSets: - controlplane: - nodeSelector: - node-role.kubernetes.io/master: "" - tolerations: - - effect: NoSchedule - operator: Exists - -%{~ if cluster_type == "okd" } - watchDirectories: - - /etc/kubernetes/static-pod-resources/etcd-certs/configmaps/etcd-metrics-proxy-client-ca - - /etc/kubernetes/static-pod-resources/etcd-certs/configmaps/etcd-metrics-proxy-serving-ca - - /etc/kubernetes/static-pod-resources/etcd-certs/configmaps/etcd-peer-client-ca - - /etc/kubernetes/static-pod-resources/etcd-certs/configmaps/etcd-serving-ca - - /etc/kubernetes/static-pod-resources/etcd-certs/secrets/etcd-all-certs - - /etc/kubernetes/static-pod-resources/kube-apiserver-certs/configmaps/aggregator-client-ca - - /etc/kubernetes/static-pod-resources/kube-apiserver-certs/configmaps/client-ca - # - /etc/kubernetes/static-pod-resources/kube-apiserver-certs/configmaps/trusted-ca-bundle - - /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/aggregator-client - - /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/check-endpoints-client-cert-key - - /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/control-plane-node-admin-client-cert-key - - /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/external-loadbalancer-serving-certkey - - /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/internal-loadbalancer-serving-certkey - - /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/kubelet-client - - /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/localhost-serving-cert-certkey - - /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/service-network-serving-certkey - - /etc/kubernetes/static-pod-resources/kube-controller-manager-certs/configmaps/aggregator-client-ca - - /etc/kubernetes/static-pod-resources/kube-controller-manager-certs/configmaps/client-ca - # - /etc/kubernetes/static-pod-resources/kube-controller-manager-certs/configmaps/trusted-ca-bundle - - /etc/kubernetes/static-pod-resources/kube-controller-manager-certs/secrets/csr-signer - - /etc/kubernetes/static-pod-resources/kube-controller-manager-certs/secrets/kube-controller-manager-client-cert-key - - /etc/kubernetes/static-pod-resources/kube-scheduler-certs/secrets/kube-scheduler-client-cert-key -%{~ endif } -%{~ if cluster_type == "kubespray" } - watchDirectories: - - /etc/kubernetes/ssl - - /var/lib/kubelet/pki - - watchKubeconfFiles: - - /etc/kubernetes/admin.conf - - /etc/kubernetes/controller-manager.conf - - /etc/kubernetes/kubelet.conf - - /etc/kubernetes/scheduler.conf -%{~ endif } - - nodes: - tolerations: - - effect: NoSchedule - operator: Exists - -%{~ if cluster_type == "okd" } - watchFiles: - - /var/lib/kubelet/pki/kubelet-server-current.pem - - /var/lib/kubelet/pki/kubelet-client-current.pem - - watchKubeconfFiles: - - /etc/kubernetes/kubeconfig - - /etc/kubernetes/kubelet.conf -%{~ endif } -%{~ if cluster_type == "kubespray" } - watchFiles: - - /var/lib/kubelet/pki/kubelet-server-current.pem - - /var/lib/kubelet/pki/kubelet-client-current.pem - - watchDirectories: - - /etc/kubernetes/ssl - - watchKubeconfFiles: - - /etc/kubernetes/kubelet.conf -%{~ endif } - # Monitors certificates from secrets # https://github.com/enix/x509-certificate-exporter/tree/main/deploy/charts/x509-certificate-exporter#metrics-for-tls-secrets secretsExporter: diff --git a/templates/okd/manifests/provider/base-helmrelease-teleport-agent.yaml.tpl b/templates/okd/manifests/provider/base-helmrelease-teleport-agent.yaml.tpl new file mode 100644 index 00000000..31c9fdb7 --- /dev/null +++ b/templates/okd/manifests/provider/base-helmrelease-teleport-agent.yaml.tpl @@ -0,0 +1,103 @@ +%{~ if teleport_auth_token != "" } +%{~ if cluster_type == "okd" ~} +--- +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + annotations: + kubernetes.io/description: anyuid provides all features of the restricted SCC + but allows users to run with any UID and any GID. + name: teleport-agent +allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: true +allowPrivilegedContainer: false +allowedCapabilities: null +defaultAddCapabilities: null +fsGroup: + type: RunAsAny +groups: +- system:cluster-admins +priority: 10 +readOnlyRootFilesystem: false +requiredDropCapabilities: +- MKNOD +runAsUser: + type: RunAsAny +seLinuxContext: + type: MustRunAs +supplementalGroups: + type: RunAsAny +users: +- system:serviceaccount:getup:teleport-agent +- system:serviceaccount:getup:teleport-agent-updater +volumes: +- configMap +- downwardAPI +- emptyDir +- persistentVolumeClaim +- projected +- secret +%{~ endif } +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: teleport-agent + namespace: flux-system +spec: + chart: + spec: + chart: teleport-kube-agent + version: "14.1.3" + sourceRef: + kind: HelmRepository + name: teleport + install: + createNamespace: true + disableWait: true + remediation: + retries: -1 + upgrade: + disableWait: false + remediation: + retries: -1 + interval: 5m + releaseName: teleport-agent + storageNamespace: getup + targetNamespace: getup + values: + proxyAddr: ${teleport_proxy_addr} + authToken: ${teleport_auth_token} + kubeClusterName: ${teleport_kube_cluster_name} + + labels: + ${indent(6, yamlencode(teleport_labels))} + + tolerations: + - key: dedicated + value: infra + effect: NoSchedule + + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + preference: + matchExpressions: + - key: node-role.kubernetes.io/infra + operator: Exists + - weight: 90 + preference: + matchExpressions: + - key: role + operator: In + values: + - infra + + podSecurityPolicy: + enabled: false +%{~ endif } diff --git a/templates/okd/manifests/provider/base-helmrelease-x509-exporter.yaml.tpl b/templates/okd/manifests/provider/base-helmrelease-x509-exporter.yaml.tpl new file mode 100644 index 00000000..9e7e4353 --- /dev/null +++ b/templates/okd/manifests/provider/base-helmrelease-x509-exporter.yaml.tpl @@ -0,0 +1,128 @@ +%{ if modules.x509-exporter.enabled ~} +apiVersion: v1 +kind: Namespace +metadata: + name: x509-exporter +%{~ if cluster_type == "okd" } + labels: + openshift.io/cluster-monitoring: "false" + openshift.io/user-monitoring: "true" +%{~ endif } +--- +%{~ if cluster_type == "okd" } +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: system:openshift:scc:anyuid + namespace: x509-exporter +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:openshift:scc:anyuid +subjects: +- kind: ServiceAccount + name: x509-exporter-hostpaths + namespace: x509-exporter +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: system:openshift:scc:privileged + namespace: x509-exporter +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:openshift:scc:privileged +subjects: +- kind: ServiceAccount + name: x509-exporter-hostpaths + namespace: x509-exporter +- kind: ServiceAccount + name: x509-exporter-secrets + namespace: x509-exporter +--- +%{~ endif } +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: x509-exporter + namespace: flux-system +spec: + chart: + spec: + chart: x509-certificate-exporter + sourceRef: + kind: HelmRepository + name: enix + version: "~> 3" + install: + createNamespace: true + disableWait: false + remediation: + retries: -1 + upgrade: + disableWait: false + remediation: + retries: -1 + interval: 5m + storageNamespace: x509-exporter + targetNamespace: x509-exporter + releaseName: x509-exporter + valuesFrom: + - kind: ConfigMap + name: host-paths-exporter-values-controlplane + optional: true + - kind: ConfigMap + name: host-paths-exporter-values-node + optional: true + values: + # Monitors certificates from node's filesystem + # https://github.com/enix/x509-certificate-exporter/tree/main/deploy/charts/x509-certificate-exporter#metrics-for-node-certificates-hostpath + # !! auto-generated from script x509-exporter-config-builder.sh !! + hostPathsExporter: + securityContext: + allowPrivilegeEscalation: true + privileged: true + readOnlyRootFilesystem: true + runAsGroup: 0 + runAsUser: 0 + capabilities: + drop: + - ALL +%{~ if cluster_type == "okd" } + seLinuxOptions: + level: s0 + user: system_u +%{~ endif } + + # Monitors certificates from secrets + # https://github.com/enix/x509-certificate-exporter/tree/main/deploy/charts/x509-certificate-exporter#metrics-for-tls-secrets + secretsExporter: + enabled: true + + # If you don't use the Prometheus operator at all, and don't have the CRD, disable resource creation and perhaps add Pod annotations for scrapping : + #secretsExporter: + # podAnnotations: + # prometheus.io/port: "9793" + # prometheus.io/scrape: "true" + #service: + # create: false + #prometheusServiceMonitor: + # create: false + #prometheusRules: + # create: false + + prometheusServiceMonitor: + create: true + scrapeInterval: 600s + prometheusRules: + create: true + warningDaysLeft: 14 + criticalDaysLeft: 7 + + rbac: + secretsExporter: + serviceAccountName: x509-exporter-secrets + hostPathsExporter: + serviceAccountName: x509-exporter-hostpaths # must match RoleBinding for OKD clusters +%{~ endif } diff --git a/templates/okd/manifests/provider/base-helmrepository.yaml b/templates/okd/manifests/provider/base-helmrepository.yaml new file mode 100644 index 00000000..19f2dd42 --- /dev/null +++ b/templates/okd/manifests/provider/base-helmrepository.yaml @@ -0,0 +1,280 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1beta1 +kind: HelmRepository +metadata: + name: metrics-server + namespace: flux-system +spec: + interval: 1h + url: https://kubernetes-sigs.github.io/metrics-server/ +--- +apiVersion: source.toolkit.fluxcd.io/v1beta1 +kind: HelmRepository +metadata: + name: kyverno + namespace: flux-system +spec: + interval: 1h + url: https://kyverno.github.io/kyverno/ +--- +apiVersion: source.toolkit.fluxcd.io/v1beta1 +kind: HelmRepository +metadata: + name: aqua + namespace: flux-system +spec: + interval: 1h + url: https://aquasecurity.github.io/helm-charts/ +--- +apiVersion: source.toolkit.fluxcd.io/v1beta1 +kind: HelmRepository +metadata: + name: getupcloud + namespace: flux-system +spec: + interval: 1h + url: https://charts.getup.io/getupcloud/ +--- +apiVersion: source.toolkit.fluxcd.io/v1beta1 +kind: HelmRepository +metadata: + name: bitnami + namespace: flux-system +spec: + interval: 1h + url: https://charts.bitnami.com/bitnami +--- +apiVersion: source.toolkit.fluxcd.io/v1beta1 +kind: HelmRepository +metadata: + name: autoscaler + namespace: flux-system +spec: + interval: 1h + url: https://kubernetes.github.io/autoscaler +--- +apiVersion: source.toolkit.fluxcd.io/v1beta1 +kind: HelmRepository +metadata: + name: jetstack + namespace: flux-system +spec: + interval: 1h + url: https://charts.jetstack.io +--- +apiVersion: source.toolkit.fluxcd.io/v1beta1 +kind: HelmRepository +metadata: + name: velero + namespace: flux-system +spec: + interval: 1h + url: https://vmware-tanzu.github.io/helm-charts +--- +apiVersion: source.toolkit.fluxcd.io/v1beta1 +kind: HelmRepository +metadata: + name: ingress-nginx + namespace: flux-system +spec: + interval: 1h + url: https://kubernetes.github.io/ingress-nginx +--- +apiVersion: source.toolkit.fluxcd.io/v1beta1 +kind: HelmRepository +metadata: + name: grafana + namespace: flux-system +spec: + interval: 1h + url: https://grafana.github.io/helm-charts +--- +apiVersion: source.toolkit.fluxcd.io/v1beta1 +kind: HelmRepository +metadata: + name: prometheus-community + namespace: flux-system +spec: + interval: 1h + url: https://prometheus-community.github.io/helm-charts +--- +apiVersion: source.toolkit.fluxcd.io/v1beta1 +kind: HelmRepository +metadata: + name: prometheus-msteams + namespace: flux-system +spec: + interval: 1h + url: https://prometheus-msteams.github.io/prometheus-msteams/ +--- +apiVersion: source.toolkit.fluxcd.io/v1beta1 +kind: HelmRepository +metadata: + name: elastic + namespace: flux-system +spec: + interval: 1h + url: https://helm.elastic.co +--- +apiVersion: source.toolkit.fluxcd.io/v1beta1 +kind: HelmRepository +metadata: + name: harbor + namespace: flux-system +spec: + interval: 1h + url: https://helm.goharbor.io +--- +apiVersion: source.toolkit.fluxcd.io/v1beta1 +kind: HelmRepository +metadata: + name: ot-helm + namespace: flux-system +spec: + interval: 1h + url: https://ot-container-kit.github.io/helm-charts/ +--- +apiVersion: source.toolkit.fluxcd.io/v1beta1 +kind: HelmRepository +metadata: + name: teleport + namespace: flux-system +spec: + interval: 1h + url: https://charts.releases.teleport.dev +--- +apiVersion: source.toolkit.fluxcd.io/v1beta1 +kind: HelmRepository +metadata: + name: external-dns + namespace: flux-system +spec: + interval: 1h + url: https://kubernetes-sigs.github.io/external-dns/ +--- +apiVersion: source.toolkit.fluxcd.io/v1beta1 +kind: HelmRepository +metadata: + name: jenkins + namespace: flux-system +spec: + interval: 1h + url: https://charts.jenkins.io +--- +apiVersion: source.toolkit.fluxcd.io/v1beta1 +kind: HelmRepository +metadata: + name: openebs + namespace: flux-system +spec: + interval: 1h + url: https://openebs.github.io/charts +--- +apiVersion: source.toolkit.fluxcd.io/v1beta1 +kind: HelmRepository +metadata: + name: falcosecurity + namespace: flux-system +spec: + interval: 1h + url: https://falcosecurity.github.io/charts +--- +apiVersion: source.toolkit.fluxcd.io/v1beta1 +kind: HelmRepository +metadata: + name: kong + namespace: flux-system +spec: + interval: 1h + url: https://charts.konghq.com +--- +apiVersion: source.toolkit.fluxcd.io/v1beta1 +kind: HelmRepository +metadata: + name: linkerd + namespace: flux-system +spec: + interval: 1h + url: https://helm.linkerd.io/stable +--- +apiVersion: source.toolkit.fluxcd.io/v1beta1 +kind: HelmRepository +metadata: + name: policy-reporter + namespace: flux-system +spec: + interval: 1h + url: https://kyverno.github.io/policy-reporter +--- +apiVersion: source.toolkit.fluxcd.io/v1beta1 +kind: HelmRepository +metadata: + name: trivy-operator-polr-adapter + namespace: flux-system +spec: + interval: 1h + url: https://fjogeleit.github.io/trivy-operator-polr-adapter +--- +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: weave-gitops + namespace: flux-system +spec: + interval: 1h + type: oci + url: oci://ghcr.io/weaveworks/charts +--- +apiVersion: source.toolkit.fluxcd.io/v1beta1 +kind: HelmRepository +metadata: + name: datadog + namespace: flux-system +spec: + interval: 1h + url: https://helm.datadoghq.com +--- +apiVersion: source.toolkit.fluxcd.io/v1beta1 +kind: HelmRepository +metadata: + name: gitlab + namespace: flux-system +spec: + interval: 1h + url: https://charts.gitlab.io +--- +apiVersion: source.toolkit.fluxcd.io/v1beta1 +kind: HelmRepository +metadata: + name: istio + namespace: flux-system +spec: + interval: 1h + url: https://istio-release.storage.googleapis.com/charts +--- +apiVersion: source.toolkit.fluxcd.io/v1beta1 +kind: HelmRepository +metadata: + name: kiali + namespace: flux-system +spec: + interval: 1h + url: https://kiali.org/helm-charts +--- +apiVersion: source.toolkit.fluxcd.io/v1beta1 +kind: HelmRepository +metadata: + name: metallb + namespace: flux-system +spec: + interval: 1h + url: https://metallb.github.io/metallb +--- +apiVersion: source.toolkit.fluxcd.io/v1beta1 +kind: HelmRepository +metadata: + name: enix + namespace: flux-system +spec: + interval: 1h + url: https://charts.enix.io diff --git a/templates/okd/manifests/provider/helmrelease-cert-manager.yaml b/templates/okd/manifests/provider/helmrelease-cert-manager.yaml deleted file mode 100644 index f88139ea..00000000 --- a/templates/okd/manifests/provider/helmrelease-cert-manager.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: helm.toolkit.fluxcd.io/v2beta1 -kind: HelmRelease -metadata: - name: cert-manager - namespace: flux-system -spec: - dependsOn: - values: - nodeSelector: - cainjector: - nodeSelector: - webhook: - nodeSelector: diff --git a/templates/okd/manifests/provider/kustomization.yaml.tpl b/templates/okd/manifests/provider/kustomization.yaml.tpl index e661df71..ad9df04a 100644 --- a/templates/okd/manifests/provider/kustomization.yaml.tpl +++ b/templates/okd/manifests/provider/kustomization.yaml.tpl @@ -5,14 +5,13 @@ resources: # Do not include all from ../base in order to use openshift native monitoring system - base-helmrepository.yaml - base-helmrelease-teleport-agent.yaml -- base-helmrelease-x509-exporter.yaml -- helmrelease-cert-manager.yaml -- helmrelease-cert-manager-config.yaml +- subscription-cert-manager.yaml - helmrelease-cert-utils-operator.yaml +- base-helmrelease-x509-exporter.yaml - helmrepository.yaml - helmrelease-kyverno.yaml - helmrelease-trivy-operator-polr-adapter.yaml -- openshift-adp.yaml +- subscription-adp.yaml - cri-o-garbage-collector.yaml patchesStrategicMerge: diff --git a/templates/okd/manifests/provider/openshift-adp.yaml.tpl b/templates/okd/manifests/provider/subscription-adp.yaml.tpl similarity index 100% rename from templates/okd/manifests/provider/openshift-adp.yaml.tpl rename to templates/okd/manifests/provider/subscription-adp.yaml.tpl diff --git a/templates/okd/manifests/provider/subscription-cert-manager.yaml b/templates/okd/manifests/provider/subscription-cert-manager.yaml new file mode 100644 index 00000000..4253cab8 --- /dev/null +++ b/templates/okd/manifests/provider/subscription-cert-manager.yaml @@ -0,0 +1,12 @@ +apiVersion: operators.coreos.com/v1alpha1 +kind: Subscription +metadata: + name: cert-manager + namespace: openshift-operators +spec: + channel: stable + installPlanApproval: Automatic + name: cert-manager + source: community-operators + sourceNamespace: openshift-marketplace + startingCSV: cert-manager.v1.11.0