From a35e2278276f7a0a5f5e70bd138101995ad64eac Mon Sep 17 00:00:00 2001 From: Yury Kovalev Date: Wed, 8 Oct 2025 13:26:36 +0200 Subject: [PATCH] feat(dp-terraform)!: remove subcharts Refers to ROX-31000, ROX-31001, ROX-31003, ROX-31004 --- .secrets.baseline | 9 - .../fleetshard-operator/51-fleetshard-cr.yaml | 14 - .../01-namespace.yaml | 0 .../02-subscription.yaml | 6 +- .../03-operator-group.yaml | 0 dev/env/scripts/bootstrap.sh | 7 + dp-terraform/helm/rhacs-terraform/Chart.lock | 21 +- dp-terraform/helm/rhacs-terraform/Chart.yaml | 18 +- .../charts/audit-logs/.helmignore | 23 - .../charts/audit-logs/Chart.yaml | 24 - .../charts/audit-logs/README.md | 31 - .../audit-logs/templates/01-namespace.yaml | 8 - .../audit-logs/templates/02-configmap.yaml | 16 - .../audit-logs/templates/03-secret.yaml | 16 - .../templates/04-serviceaccount.yaml | 12 - .../audit-logs/templates/05-service.yaml | 26 - .../audit-logs/templates/06-statefulset.yaml | 134 -- .../charts/audit-logs/templates/_helpers.tpl | 20 - .../charts/audit-logs/values.yaml | 66 - .../charts/cloudwatch/.helmignore | 23 - .../charts/cloudwatch/Chart.yaml | 24 - .../charts/cloudwatch/README.md | 17 - .../templates/01-operator-01-namespace.yaml | 4 - ...1-operator-02-secret-dead-mans-switch.yaml | 23 - .../templates/01-operator-03-config-map.yaml | 91 -- .../templates/01-operator-04-deployment.yaml | 64 - .../charts/cloudwatch/templates/_helpers.tpl | 6 - .../charts/cloudwatch/values.yaml | 9 - .../charts/secured-cluster/Chart.yaml | 24 - .../charts/secured-cluster/README.md | 52 - .../secured-cluster/crds/secured-cluster.yaml | 1116 ----------------- .../charts/secured-cluster/init-bundle.yaml | 35 - .../secured-cluster/templates/_helpers.tpl | 3 - .../templates/secured-cluster-cr.yaml | 115 -- .../templates/secured-cluster-namespace.yaml | 4 - .../templates/secured-cluster-secrets.yaml | 114 -- .../charts/secured-cluster/test.sh | 27 - .../charts/secured-cluster/values.yaml | 72 -- .../vertical-pod-autoscaler/.helmignore | 23 - .../charts/vertical-pod-autoscaler/Chart.yaml | 6 - .../vertical-pod-autoscaler/values.yaml | 4 - .../helm/rhacs-terraform/templates/scc.yaml | 34 - dp-terraform/helm/rhacs-terraform/values.yaml | 94 -- dp-terraform/test/helm_template_test.go | 69 - .../emailsender-values.yaml | 3 - 45 files changed, 16 insertions(+), 2491 deletions(-) rename {dp-terraform/helm/rhacs-terraform/charts/vertical-pod-autoscaler/templates => dev/env/manifests/vertical-pod-autoscaler-olm}/01-namespace.yaml (100%) rename {dp-terraform/helm/rhacs-terraform/charts/vertical-pod-autoscaler/templates => dev/env/manifests/vertical-pod-autoscaler-olm}/02-subscription.yaml (62%) rename {dp-terraform/helm/rhacs-terraform/charts/vertical-pod-autoscaler/templates => dev/env/manifests/vertical-pod-autoscaler-olm}/03-operator-group.yaml (100%) delete mode 100644 dp-terraform/helm/rhacs-terraform/charts/audit-logs/.helmignore delete mode 100644 dp-terraform/helm/rhacs-terraform/charts/audit-logs/Chart.yaml delete mode 100644 dp-terraform/helm/rhacs-terraform/charts/audit-logs/README.md delete mode 100644 dp-terraform/helm/rhacs-terraform/charts/audit-logs/templates/01-namespace.yaml delete mode 100644 dp-terraform/helm/rhacs-terraform/charts/audit-logs/templates/02-configmap.yaml delete mode 100644 dp-terraform/helm/rhacs-terraform/charts/audit-logs/templates/03-secret.yaml delete mode 100644 dp-terraform/helm/rhacs-terraform/charts/audit-logs/templates/04-serviceaccount.yaml delete mode 100644 dp-terraform/helm/rhacs-terraform/charts/audit-logs/templates/05-service.yaml delete mode 100644 dp-terraform/helm/rhacs-terraform/charts/audit-logs/templates/06-statefulset.yaml delete mode 100644 dp-terraform/helm/rhacs-terraform/charts/audit-logs/templates/_helpers.tpl delete mode 100644 dp-terraform/helm/rhacs-terraform/charts/audit-logs/values.yaml delete mode 100644 dp-terraform/helm/rhacs-terraform/charts/cloudwatch/.helmignore delete mode 100644 dp-terraform/helm/rhacs-terraform/charts/cloudwatch/Chart.yaml delete mode 100644 dp-terraform/helm/rhacs-terraform/charts/cloudwatch/README.md delete mode 100644 dp-terraform/helm/rhacs-terraform/charts/cloudwatch/templates/01-operator-01-namespace.yaml delete mode 100644 dp-terraform/helm/rhacs-terraform/charts/cloudwatch/templates/01-operator-02-secret-dead-mans-switch.yaml delete mode 100644 dp-terraform/helm/rhacs-terraform/charts/cloudwatch/templates/01-operator-03-config-map.yaml delete mode 100644 dp-terraform/helm/rhacs-terraform/charts/cloudwatch/templates/01-operator-04-deployment.yaml delete mode 100644 dp-terraform/helm/rhacs-terraform/charts/cloudwatch/templates/_helpers.tpl delete mode 100644 dp-terraform/helm/rhacs-terraform/charts/cloudwatch/values.yaml delete mode 100644 dp-terraform/helm/rhacs-terraform/charts/secured-cluster/Chart.yaml delete mode 100644 dp-terraform/helm/rhacs-terraform/charts/secured-cluster/README.md delete mode 100644 dp-terraform/helm/rhacs-terraform/charts/secured-cluster/crds/secured-cluster.yaml delete mode 100644 dp-terraform/helm/rhacs-terraform/charts/secured-cluster/init-bundle.yaml delete mode 100644 dp-terraform/helm/rhacs-terraform/charts/secured-cluster/templates/_helpers.tpl delete mode 100644 dp-terraform/helm/rhacs-terraform/charts/secured-cluster/templates/secured-cluster-cr.yaml delete mode 100644 dp-terraform/helm/rhacs-terraform/charts/secured-cluster/templates/secured-cluster-namespace.yaml delete mode 100644 dp-terraform/helm/rhacs-terraform/charts/secured-cluster/templates/secured-cluster-secrets.yaml delete mode 100755 dp-terraform/helm/rhacs-terraform/charts/secured-cluster/test.sh delete mode 100644 dp-terraform/helm/rhacs-terraform/charts/secured-cluster/values.yaml delete mode 100644 dp-terraform/helm/rhacs-terraform/charts/vertical-pod-autoscaler/.helmignore delete mode 100644 dp-terraform/helm/rhacs-terraform/charts/vertical-pod-autoscaler/Chart.yaml delete mode 100644 dp-terraform/helm/rhacs-terraform/charts/vertical-pod-autoscaler/values.yaml delete mode 100644 dp-terraform/helm/rhacs-terraform/templates/scc.yaml diff --git a/.secrets.baseline b/.secrets.baseline index d3ff9a7ce7..92f556ea64 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -244,15 +244,6 @@ "line_number": 1 } ], - "dp-terraform/helm/rhacs-terraform/charts/secured-cluster/init-bundle.yaml": [ - { - "type": "Private Key", - "filename": "dp-terraform/helm/rhacs-terraform/charts/secured-cluster/init-bundle.yaml", - "hashed_secret": "f0778f3e140a61d5bbbed5430773e52af2f5fba4", - "is_verified": false, - "line_number": 7 - } - ], "internal/central/pkg/api/public/api/openapi.yaml": [ { "type": "Base64 High Entropy String", diff --git a/dev/env/manifests/fleetshard-operator/51-fleetshard-cr.yaml b/dev/env/manifests/fleetshard-operator/51-fleetshard-cr.yaml index e29a4a8e99..8f05d7e77d 100644 --- a/dev/env/manifests/fleetshard-operator/51-fleetshard-cr.yaml +++ b/dev/env/manifests/fleetshard-operator/51-fleetshard-cr.yaml @@ -4,8 +4,6 @@ metadata: name: rhacs-terraform namespace: "$ACSCS_NAMESPACE" spec: - acsOperator: - enabled: false fleetshardSync: image: ref: "$FLEET_MANAGER_IMAGE" @@ -39,15 +37,3 @@ spec: enabled: $ENABLE_EMAIL_SENDER enableHTTPS: false replicas: 1 - cloudwatch: - enabled: false - audit-logs: - enabled: false - secured-cluster: - enabled: false - scc: - enabled: false - vertical-pod-autoscaler: - enabled: $INSTALL_VERTICAL_POD_AUTOSCALER_OLM - nodeSelector: - node-role.kubernetes.io/worker: "" diff --git a/dp-terraform/helm/rhacs-terraform/charts/vertical-pod-autoscaler/templates/01-namespace.yaml b/dev/env/manifests/vertical-pod-autoscaler-olm/01-namespace.yaml similarity index 100% rename from dp-terraform/helm/rhacs-terraform/charts/vertical-pod-autoscaler/templates/01-namespace.yaml rename to dev/env/manifests/vertical-pod-autoscaler-olm/01-namespace.yaml diff --git a/dp-terraform/helm/rhacs-terraform/charts/vertical-pod-autoscaler/templates/02-subscription.yaml b/dev/env/manifests/vertical-pod-autoscaler-olm/02-subscription.yaml similarity index 62% rename from dp-terraform/helm/rhacs-terraform/charts/vertical-pod-autoscaler/templates/02-subscription.yaml rename to dev/env/manifests/vertical-pod-autoscaler-olm/02-subscription.yaml index 885d0a2034..5a08a38ca2 100644 --- a/dp-terraform/helm/rhacs-terraform/charts/vertical-pod-autoscaler/templates/02-subscription.yaml +++ b/dev/env/manifests/vertical-pod-autoscaler-olm/02-subscription.yaml @@ -9,8 +9,8 @@ spec: name: vertical-pod-autoscaler source: redhat-operators sourceNamespace: openshift-marketplace - {{- if .Values.nodeSelector }} config: nodeSelector: - {{- toYaml .Values.nodeSelector | nindent 6 }} - {{- end }} + # For HCP clusters, master nodes are hosted so VPA cannot use master node selectors + # because of that we need a way to overwrite initial selectors + node-role.kubernetes.io/worker: "" diff --git a/dp-terraform/helm/rhacs-terraform/charts/vertical-pod-autoscaler/templates/03-operator-group.yaml b/dev/env/manifests/vertical-pod-autoscaler-olm/03-operator-group.yaml similarity index 100% rename from dp-terraform/helm/rhacs-terraform/charts/vertical-pod-autoscaler/templates/03-operator-group.yaml rename to dev/env/manifests/vertical-pod-autoscaler-olm/03-operator-group.yaml diff --git a/dev/env/scripts/bootstrap.sh b/dev/env/scripts/bootstrap.sh index b09f377f25..2c5bc5bb11 100755 --- a/dev/env/scripts/bootstrap.sh +++ b/dev/env/scripts/bootstrap.sh @@ -53,6 +53,13 @@ else log "Skipping installation of Vertical Pod Autoscaler" fi +if [[ "$INSTALL_VERTICAL_POD_AUTOSCALER_OLM" == "true" ]]; then + log "Installing Vertical Pod Autoscaler using OLM" + apply "${MANIFESTS_DIR}/vertical-pod-autoscaler-olm" +else + log "Skipping installation of Vertical Pod Autoscaler using OLM" +fi + if [[ "$INSTALL_ARGOCD" == "true" ]]; then log "Installing ArgoCD" chamber exec gitops -- apply "${MANIFESTS_DIR}/argocd" diff --git a/dp-terraform/helm/rhacs-terraform/Chart.lock b/dp-terraform/helm/rhacs-terraform/Chart.lock index a8a0d04a09..405996e28f 100644 --- a/dp-terraform/helm/rhacs-terraform/Chart.lock +++ b/dp-terraform/helm/rhacs-terraform/Chart.lock @@ -1,18 +1,3 @@ -dependencies: -- name: cloudwatch - repository: "" - version: 0.1.0 -- name: logging - repository: "" - version: 0.1.0 -- name: audit-logs - repository: "" - version: 0.1.0 -- name: secured-cluster - repository: "" - version: 0.1.0 -- name: vertical-pod-autoscaler - repository: "" - version: 0.1.0 -digest: sha256:0a36a3980788badb99f58aec94b6b1e643e6345c053fced0267561574894b605 -generated: "2025-03-20T14:38:43.263767+01:00" +dependencies: [] +digest: sha256:643d5437104296e21d906ecb15b2c96ad278f20cfc4af53b12bb6069bd853726 +generated: "2025-10-08T13:55:06.652931+02:00" diff --git a/dp-terraform/helm/rhacs-terraform/Chart.yaml b/dp-terraform/helm/rhacs-terraform/Chart.yaml index 72b6196e19..a79f3b0746 100644 --- a/dp-terraform/helm/rhacs-terraform/Chart.yaml +++ b/dp-terraform/helm/rhacs-terraform/Chart.yaml @@ -15,25 +15,13 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: "0.4.0" +version: "0.5.0" # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "0.4.0" +appVersion: "0.5.0" # List of sub-charts and other dependencies -dependencies: - - name: cloudwatch - version: "0.1.0" - condition: cloudwatch.enabled - - name: audit-logs - version: "0.1.0" - condition: audit-logs.enabled - - name: secured-cluster - version: "0.1.0" - condition: secured-cluster.enabled - - name: vertical-pod-autoscaler - version: "0.1.0" - condition: vertical-pod-autoscaler.enabled +dependencies: [] diff --git a/dp-terraform/helm/rhacs-terraform/charts/audit-logs/.helmignore b/dp-terraform/helm/rhacs-terraform/charts/audit-logs/.helmignore deleted file mode 100644 index 0e8a0eb36f..0000000000 --- a/dp-terraform/helm/rhacs-terraform/charts/audit-logs/.helmignore +++ /dev/null @@ -1,23 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/dp-terraform/helm/rhacs-terraform/charts/audit-logs/Chart.yaml b/dp-terraform/helm/rhacs-terraform/charts/audit-logs/Chart.yaml deleted file mode 100644 index e156567843..0000000000 --- a/dp-terraform/helm/rhacs-terraform/charts/audit-logs/Chart.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: v2 -name: audit-logs -description: "Chart to terraform audit-logs stack for dataplane OSD clusters" - -# A chart can be either an 'application' or a 'library' chart. -# -# Application charts are a collection of templates that can be packaged into versioned archives -# to be deployed. -# -# Library charts provide useful utilities or functions for the chart developer. They're included as -# a dependency of application charts to inject those utilities and functions into the rendering -# pipeline. Library charts do not define any templates and therefore cannot be deployed. -type: application - -# This is the chart version. This version number should be incremented each time you make changes -# to the chart and its templates, including the app version. -# Versions are expected to follow Semantic Versioning (https://semver.org/) -version: "0.1.0" - -# This is the version number of the application being deployed. This version number should be -# incremented each time you make changes to the application. Versions are not expected to -# follow Semantic Versioning. They should reflect the version the application is using. -# It is recommended to use it with quotes. -appVersion: "0.1.0" diff --git a/dp-terraform/helm/rhacs-terraform/charts/audit-logs/README.md b/dp-terraform/helm/rhacs-terraform/charts/audit-logs/README.md deleted file mode 100644 index f365c2f4c5..0000000000 --- a/dp-terraform/helm/rhacs-terraform/charts/audit-logs/README.md +++ /dev/null @@ -1,31 +0,0 @@ -# Data plane terraform audit-logs Helm chart - -This chart installs resource into `rhacs-audit-logs` namespace. - -## Usage - -Create a file `~/dp-terraform-audit-logs-values.yaml` with the values for the parameters in [values.yaml](./values.yaml) that are missing or that you want to override. - -**Render the chart to see the generated templates during development** - -```bash -helm template rhacs-terraform-audit-logs \ - --debug \ - --namespace rhacs \ - --values ~/dp-terraform-audit-logs-values.yaml . -``` - -**Install or update the chart** - -```bash -helm upgrade --install rhacs-terraform-audit-logs \ - --namespace rhacs \ - --create-namespace \ - --values ~/dp-terraform-audit-logs-values.yaml . -``` - -**Uninstall the chart and cleanup all created resources** - -```bash -helm uninstall rhacs-terraform-audit-logs --namespace rhacs -``` diff --git a/dp-terraform/helm/rhacs-terraform/charts/audit-logs/templates/01-namespace.yaml b/dp-terraform/helm/rhacs-terraform/charts/audit-logs/templates/01-namespace.yaml deleted file mode 100644 index 0cc5066bd7..0000000000 --- a/dp-terraform/helm/rhacs-terraform/charts/audit-logs/templates/01-namespace.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: {{ include "aggregator.namespace" . }} - annotations: - {{- with .Values.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} diff --git a/dp-terraform/helm/rhacs-terraform/charts/audit-logs/templates/02-configmap.yaml b/dp-terraform/helm/rhacs-terraform/charts/audit-logs/templates/02-configmap.yaml deleted file mode 100644 index 66395fe728..0000000000 --- a/dp-terraform/helm/rhacs-terraform/charts/audit-logs/templates/02-configmap.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "aggregator.fullname" . }} - namespace: {{ include "aggregator.namespace" . }} - labels: - {{- include "aggregator.selectorLabels" . | nindent 4 }} - annotations: - {{- with .Values.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} -data: - {{- if .Values.customConfig }} - vector.yaml: | -{{ tpl (toYaml .Values.customConfig) . | indent 4 }} - {{- end }} diff --git a/dp-terraform/helm/rhacs-terraform/charts/audit-logs/templates/03-secret.yaml b/dp-terraform/helm/rhacs-terraform/charts/audit-logs/templates/03-secret.yaml deleted file mode 100644 index b8d025e8a8..0000000000 --- a/dp-terraform/helm/rhacs-terraform/charts/audit-logs/templates/03-secret.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "aggregator.fullname" . }} - namespace: {{ include "aggregator.namespace" . }} - labels: - {{- include "aggregator.selectorLabels" . | nindent 4 }} - annotations: - {{- with .Values.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} -type: Opaque -data: -{{- range $key, $value := .Values.secrets }} - {{ $key }}: {{ $value | b64enc | quote }} -{{- end }} diff --git a/dp-terraform/helm/rhacs-terraform/charts/audit-logs/templates/04-serviceaccount.yaml b/dp-terraform/helm/rhacs-terraform/charts/audit-logs/templates/04-serviceaccount.yaml deleted file mode 100644 index 11cf751942..0000000000 --- a/dp-terraform/helm/rhacs-terraform/charts/audit-logs/templates/04-serviceaccount.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "aggregator.fullname" . }} - namespace: {{ include "aggregator.namespace" . }} - labels: - {{- include "aggregator.selectorLabels" . | nindent 4 }} - annotations: - {{- with .Values.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} -automountServiceAccountToken: true diff --git a/dp-terraform/helm/rhacs-terraform/charts/audit-logs/templates/05-service.yaml b/dp-terraform/helm/rhacs-terraform/charts/audit-logs/templates/05-service.yaml deleted file mode 100644 index 804deae56a..0000000000 --- a/dp-terraform/helm/rhacs-terraform/charts/audit-logs/templates/05-service.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ include "aggregator.fullname" . }} - namespace: {{ include "aggregator.namespace" . }} - labels: - {{- include "aggregator.selectorLabels" . | nindent 4 }} - annotations: - service.beta.openshift.io/serving-cert-secret-name: {{ include "aggregator.fullname" . }}-tls-secret - {{- with .Values.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - ipFamilies: - - IPv4 - ports: - - name: http-server - protocol: TCP - port: 8888 - targetPort: 8888 - internalTrafficPolicy: Cluster - type: ClusterIP - ipFamilyPolicy: SingleStack - sessionAffinity: None - selector: - {{- include "aggregator.selectorLabels" . | nindent 4 }} diff --git a/dp-terraform/helm/rhacs-terraform/charts/audit-logs/templates/06-statefulset.yaml b/dp-terraform/helm/rhacs-terraform/charts/audit-logs/templates/06-statefulset.yaml deleted file mode 100644 index f80dd501a8..0000000000 --- a/dp-terraform/helm/rhacs-terraform/charts/audit-logs/templates/06-statefulset.yaml +++ /dev/null @@ -1,134 +0,0 @@ -kind: StatefulSet -apiVersion: apps/v1 -metadata: - name: {{ include "aggregator.fullname" . }} - namespace: {{ include "aggregator.namespace" . }} - labels: - {{- include "aggregator.selectorLabels" . | nindent 4 }} - annotations: - {{- with .Values.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - replicas: {{ .Values.replicas }} - podManagementPolicy: OrderedReady - selector: - matchLabels: - {{- include "aggregator.selectorLabels" . | nindent 6 }} - serviceName: {{ include "aggregator.fullname" . }} - updateStrategy: - type: RollingUpdate - rollingUpdate: - partition: 0 - template: - metadata: - annotations: - trigger-tls-rotation: {{ now | date "2006" | quote }} - checksum/config: {{ include (print .Template.BasePath "/02-configmap.yaml") . | sha256sum }} - {{- with .Values.annotations }} - {{- toYaml . | nindent 8 }} - {{- end }} - labels: - app: {{ include "aggregator.fullname" . }} - {{- include "aggregator.selectorLabels" . | nindent 8 }} - spec: - dnsPolicy: ClusterFirst - restartPolicy: Always - serviceAccountName: {{ include "aggregator.fullname" . }} - schedulerName: default-scheduler - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchExpressions: - - key: app - operator: In - values: - - {{ include "aggregator.fullname" . }} - topologyKey: topology.kubernetes.io/zone - {{- if .Values.tolerations }} - tolerations: {{- toYaml .Values.tolerations | nindent 8 }} - {{- end }} - {{- if .Values.nodeSelector }} - nodeSelector: {{- toYaml .Values.nodeSelector | nindent 8 }} - {{- end }} - terminationGracePeriodSeconds: 60 - securityContext: {} - containers: - - resources: {} - terminationMessagePath: /tmp/vector-termination-log - name: vector - command: - - /usr/bin/vector - env: - - name: AWS_WEB_IDENTITY_TOKEN_FILE - value: /var/run/secrets/aws-token/aws-token - - name: AWS_REGION - valueFrom: - secretKeyRef: - name: {{ include "aggregator.fullname" . }} - key: aws_region - - name: AWS_ROLE_ARN - valueFrom: - secretKeyRef: - name: {{ include "aggregator.fullname" . }} - key: aws_role_arn - ports: - - name: http-server - containerPort: 8888 - protocol: TCP - imagePullPolicy: IfNotPresent - volumeMounts: - - name: config - readOnly: true - mountPath: /etc/aggregator/ - - name: service-tls-secret - readOnly: true - mountPath: /etc/aggregator/tls - - name: aws-token - mountPath: /var/run/secrets/aws-token - {{- if .Values.persistence.enabled }} - - name: data - mountPath: /aggregator-data-dir - {{- end }} - terminationMessagePolicy: File - image: {{ .Values.image | quote }} - args: - - '--config-dir' - - /etc/aggregator/ - serviceAccount: audit-logs-aggregator - volumes: - - name: config - projected: - sources: - - configMap: - name: {{ include "aggregator.fullname" . }} - defaultMode: 420 - - name: service-tls-secret - projected: - sources: - - secret: - name: {{ include "aggregator.fullname" . }}-tls-secret - defaultMode: 420 - - name: aws-token - projected: - sources: - - serviceAccountToken: - audience: 'sts.amazonaws.com' - expirationSeconds: 3600 - path: aws-token - defaultMode: 420 - {{- if .Values.persistence.enabled }} - volumeClaimTemplates: - - metadata: - name: data - spec: - accessModes: - - ReadWriteOnce - {{- if .Values.persistence.storageClassName }} - storageClassName: {{ .Values.persistence.storageClassName }} - {{- end }} - resources: - requests: - storage: {{ .Values.persistence.size }} - {{- end }} diff --git a/dp-terraform/helm/rhacs-terraform/charts/audit-logs/templates/_helpers.tpl b/dp-terraform/helm/rhacs-terraform/charts/audit-logs/templates/_helpers.tpl deleted file mode 100644 index c5a660ab69..0000000000 --- a/dp-terraform/helm/rhacs-terraform/charts/audit-logs/templates/_helpers.tpl +++ /dev/null @@ -1,20 +0,0 @@ -{{/* -Namespace for the audit-logs stack. -*/}} -{{- define "aggregator.namespace" }} -{{- printf "%s-%s" .Release.Namespace "audit-logs" | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Full name for audit-log aggregator. -*/}} -{{- define "aggregator.fullname" -}} -{{- printf "%s-%s" .Chart.Name "aggregator" | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Labels for to match related Kubernetes resources (i.e. Service->Pod) -*/}} -{{- define "aggregator.selectorLabels" -}} -app.kubernetes.io/name: {{ include "aggregator.fullname" . }} -{{- end }} diff --git a/dp-terraform/helm/rhacs-terraform/charts/audit-logs/values.yaml b/dp-terraform/helm/rhacs-terraform/charts/audit-logs/values.yaml deleted file mode 100644 index 3a0be11e1c..0000000000 --- a/dp-terraform/helm/rhacs-terraform/charts/audit-logs/values.yaml +++ /dev/null @@ -1,66 +0,0 @@ -# Default values for audit-logs charts. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -# Vector image used for audit-logs aggregator. -image: 'registry.redhat.io/openshift-logging/vector-rhel9@sha256:ded523b690006817d7e826eaec49fc62fe94362ec28b66dbd2c3dc4f79384970' - -# General annotations for all deployed resources. -annotations: {} - -# Number of pod replicas in stateful set. It should be equal to number of cluster AZs. -replicas: 3 - -# Configuration used to define persistent volumes for Vector buffer. -persistence: - enabled: true - storageClassName: "" - size: 1Gi - -# Customer configuration for Vector. -customConfig: - # We have to set it because default "data_dir" is different from mount path defined by enabled "persistence". - data_dir: /aggregator-data-dir - sources: - http_server: - type: "http" - address: "0.0.0.0:8888" - decoding: - codec: "json" - tls: - enabled: true - ca_file: "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt" - crt_file: "/etc/aggregator/tls/tls.crt" - key_file: "/etc/aggregator/tls/tls.key" - sinks: - aws_cloudwatch_logs: - type: "aws_cloudwatch_logs" - region: "us-east-1" - group_name: "" - create_missing_group: false - create_missing_stream: true - inputs: ["http_server"] - stream_name: '{{ "{{" }} .tenant_id {{ "}}" }}' - compression: none - healthcheck: - enabled: true - batch: - timeout_secs: 60 - # 4.5M Bytes - max_size: 4718592 - buffer: - type: disk - # 900M Bytes (disk is 1Gi) - max_size: 943718400 - when_full: block - encoding: - codec: "json" - -# Secrets used to set environment variables for Vector pod. -secrets: - aws_region: "us-east-1" - aws_role_arn: "" - -nodeSelector: {} - -tolerations: [] diff --git a/dp-terraform/helm/rhacs-terraform/charts/cloudwatch/.helmignore b/dp-terraform/helm/rhacs-terraform/charts/cloudwatch/.helmignore deleted file mode 100644 index 0e8a0eb36f..0000000000 --- a/dp-terraform/helm/rhacs-terraform/charts/cloudwatch/.helmignore +++ /dev/null @@ -1,23 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/dp-terraform/helm/rhacs-terraform/charts/cloudwatch/Chart.yaml b/dp-terraform/helm/rhacs-terraform/charts/cloudwatch/Chart.yaml deleted file mode 100644 index 1d831de7ef..0000000000 --- a/dp-terraform/helm/rhacs-terraform/charts/cloudwatch/Chart.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: v2 -name: cloudwatch -description: "Chart to deploy the cloudwatch exporter of dataplane OSD clusters" - -# A chart can be either an 'application' or a 'library' chart. -# -# Application charts are a collection of templates that can be packaged into versioned archives -# to be deployed. -# -# Library charts provide useful utilities or functions for the chart developer. They're included as -# a dependency of application charts to inject those utilities and functions into the rendering -# pipeline. Library charts do not define any templates and therefore cannot be deployed. -type: application - -# This is the chart version. This version number should be incremented each time you make changes -# to the chart and its templates, including the app version. -# Versions are expected to follow Semantic Versioning (https://semver.org/) -version: "0.1.0" - -# This is the version number of the application being deployed. This version number should be -# incremented each time you make changes to the application. Versions are not expected to -# follow Semantic Versioning. They should reflect the version the application is using. -# It is recommended to use it with quotes. -appVersion: "0.1.0" diff --git a/dp-terraform/helm/rhacs-terraform/charts/cloudwatch/README.md b/dp-terraform/helm/rhacs-terraform/charts/cloudwatch/README.md deleted file mode 100644 index 5dc2ecc343..0000000000 --- a/dp-terraform/helm/rhacs-terraform/charts/cloudwatch/README.md +++ /dev/null @@ -1,17 +0,0 @@ -# Data plane terraform cloudwatch exporter Helm chart - -## Configuration - -The [cloudwatch exporter](https://github.com/prometheus/cloudwatch_exporter) is configured via the -`cloudwatch-exporter-config` config map. See the [AWS metrics list](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Aurora.AuroraMySQL.Monitoring.Metrics.html) and [AWS serverless capacity guide](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-serverless-v2.setting-capacity.html) for possible database metric series to export. - -## Authentication - -The `rhacs-cloudwatch-exporter` secret must contain AWS credentials with the following permissions: - -``` -"cloudwatch:GetMetricData", -"cloudwatch:GetMetricStatistics", -"cloudwatch:ListMetrics", -"tag:GetResources", -``` diff --git a/dp-terraform/helm/rhacs-terraform/charts/cloudwatch/templates/01-operator-01-namespace.yaml b/dp-terraform/helm/rhacs-terraform/charts/cloudwatch/templates/01-operator-01-namespace.yaml deleted file mode 100644 index fa69fdb3dc..0000000000 --- a/dp-terraform/helm/rhacs-terraform/charts/cloudwatch/templates/01-operator-01-namespace.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: {{ include "cloudwatch.namespace" . }} diff --git a/dp-terraform/helm/rhacs-terraform/charts/cloudwatch/templates/01-operator-02-secret-dead-mans-switch.yaml b/dp-terraform/helm/rhacs-terraform/charts/cloudwatch/templates/01-operator-02-secret-dead-mans-switch.yaml deleted file mode 100644 index e563ac0736..0000000000 --- a/dp-terraform/helm/rhacs-terraform/charts/cloudwatch/templates/01-operator-02-secret-dead-mans-switch.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{- if and (.Capabilities.APIVersions.Has "external-secrets.io/v1beta1") .Values.global.createExternalSecrets }} -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: rhacs-cloudwatch-exporter - namespace: {{ include "cloudwatch.namespace" . }} -spec: - secretStoreRef: - name: {{ .Values.global.secretStore.aws.secretsManagerSecretStoreName }} - kind: ClusterSecretStore - target: - name: rhacs-cloudwatch-exporter - creationPolicy: Owner - data: - - secretKey: AWS_ACCESS_KEY_ID # pragma: allowlist secret - remoteRef: - key: "cloudwatch-exporter" - property: aws_access_key_id - - secretKey: AWS_SECRET_ACCESS_KEY # pragma: allowlist secret - remoteRef: - key: "cloudwatch-exporter" - property: "aws_secret_access_key" -{{- end }} diff --git a/dp-terraform/helm/rhacs-terraform/charts/cloudwatch/templates/01-operator-03-config-map.yaml b/dp-terraform/helm/rhacs-terraform/charts/cloudwatch/templates/01-operator-03-config-map.yaml deleted file mode 100644 index 5f81a80a77..0000000000 --- a/dp-terraform/helm/rhacs-terraform/charts/cloudwatch/templates/01-operator-03-config-map.yaml +++ /dev/null @@ -1,91 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: cloudwatch-exporter-config - namespace: {{ include "cloudwatch.namespace" . }} -data: - config.yml: |- - apiVersion: v1alpha1 - discovery: - jobs: - - type: AWS/RDS - regions: - - eu-west-1 - - us-east-1 - searchTags: - - key: DataplaneClusterName - value: ^{{ .Values.clusterName }}$ - dimensionNameRequirements: - - DBInstanceIdentifier - statistics: - - Average - - Maximum - - Minimum - - p90 - - p95 - - p99 - metrics: - - name: DatabaseConnections - - name: ServerlessDatabaseCapacity - - name: ACUUtilization - - name: FreeableMemory - - name: CPUUtilization - - name: ReadLatency - - name: ReadThroughput - - name: WriteLatency - - name: WriteThroughput - - name: NetworkThroughput - - name: AuroraReplicaLag - - name: MaximumUsedTransactionIDs - - name: TransactionLogsDiskUsage - - name: Deadlocks - - name: BufferCacheHitRatio - - type: AWS/SES - regions: - - us-east-1 - statistics: - - Sum - nilToZero: true - metrics: - - name: Delivery - - name: Send - - name: Bounce - - name: Reputation.BounceRate - - name: Reputation.ComplaintRate - static: - - name: selinux_avc_denials - namespace: "{{ .Values.clusterName }}" - regions: - - us-east-1 - metrics: - - name: SELinuxDenials - nilToZero: true - statistics: - - SampleCount - period: 60 - length: 300 - - name: network_policy_acl_denials - namespace: "{{ .Values.clusterName }}" - regions: - - us-east-1 - metrics: - - name: NetworkPolicyDenials - nilToZero: true - statistics: - - SampleCount - period: 60 - length: 300 - - name: audit_log_incoming_events - namespace: AWS/Logs - regions: - - us-east-1 - dimensions: - - name: LogGroupName - value: "{{ .Values.clusterName }}.acs_audit_logs" - metrics: - - name: IncomingLogEvents - statistics: - - Average - - SampleCount - - Sum - period: 300 diff --git a/dp-terraform/helm/rhacs-terraform/charts/cloudwatch/templates/01-operator-04-deployment.yaml b/dp-terraform/helm/rhacs-terraform/charts/cloudwatch/templates/01-operator-04-deployment.yaml deleted file mode 100644 index b30ee8478d..0000000000 --- a/dp-terraform/helm/rhacs-terraform/charts/cloudwatch/templates/01-operator-04-deployment.yaml +++ /dev/null @@ -1,64 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: cloudwatch-exporter - namespace: {{ include "cloudwatch.namespace" . }} - labels: - app: cloudwatch-exporter -spec: - replicas: 1 - selector: - matchLabels: - app: cloudwatch-exporter - template: - metadata: - annotations: - rhacs.redhat.com/cluster-name: {{ .Values.clusterName | quote }} - rhacs.redhat.com/environment: {{ .Values.environment | quote }} - labels: - app: cloudwatch-exporter - spec: - {{- if .Values.affinity }} - affinity: {{ toYaml .Values.affinity | nindent 8 }} - {{- end }} - {{- if .Values.nodeSelector }} - nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }} - {{- end }} - {{- if .Values.tolerations }} - tolerations: {{ toYaml .Values.tolerations | nindent 8 }} - {{- end }} - automountServiceAccountToken: false - containers: - - name: cloudwatch-exporter - image: {{ .Values.image | quote }} - imagePullPolicy: IfNotPresent - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: ["ALL"] - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - args: - - "--config.file=/tmp/config.yml" - env: - - name: AWS_ACCESS_KEY_ID - valueFrom: - secretKeyRef: - name: rhacs-cloudwatch-exporter - key: AWS_ACCESS_KEY_ID - - name: AWS_SECRET_ACCESS_KEY - valueFrom: - secretKeyRef: - name: rhacs-cloudwatch-exporter - key: AWS_SECRET_ACCESS_KEY - volumeMounts: - - mountPath: /tmp - name: config - ports: - - name: monitoring - containerPort: 5000 - volumes: - - name: config - configMap: - name: cloudwatch-exporter-config diff --git a/dp-terraform/helm/rhacs-terraform/charts/cloudwatch/templates/_helpers.tpl b/dp-terraform/helm/rhacs-terraform/charts/cloudwatch/templates/_helpers.tpl deleted file mode 100644 index eba8081850..0000000000 --- a/dp-terraform/helm/rhacs-terraform/charts/cloudwatch/templates/_helpers.tpl +++ /dev/null @@ -1,6 +0,0 @@ -{{/* -Namespace for the observability stack. -*/}} -{{- define "cloudwatch.namespace" }} -{{- printf "%s-%s" .Release.Namespace "cloudwatch" }} -{{- end }} diff --git a/dp-terraform/helm/rhacs-terraform/charts/cloudwatch/values.yaml b/dp-terraform/helm/rhacs-terraform/charts/cloudwatch/values.yaml deleted file mode 100644 index 77125a8dc9..0000000000 --- a/dp-terraform/helm/rhacs-terraform/charts/cloudwatch/values.yaml +++ /dev/null @@ -1,9 +0,0 @@ -clusterName: "" -environment: "" -image: "quay.io/prometheuscommunity/yet-another-cloudwatch-exporter:v0.62.1" - -nodeSelector: {} - -tolerations: [] - -affinity: {} diff --git a/dp-terraform/helm/rhacs-terraform/charts/secured-cluster/Chart.yaml b/dp-terraform/helm/rhacs-terraform/charts/secured-cluster/Chart.yaml deleted file mode 100644 index d3bac3eef9..0000000000 --- a/dp-terraform/helm/rhacs-terraform/charts/secured-cluster/Chart.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: v2 -name: secured-cluster -description: "Chart to terraform observability components of dataplane OSD clusters" - -# A chart can be either an 'application' or a 'library' chart. -# -# Application charts are a collection of templates that can be packaged into versioned archives -# to be deployed. -# -# Library charts provide useful utilities or functions for the chart developer. They're included as -# a dependency of application charts to inject those utilities and functions into the rendering -# pipeline. Library charts do not define any templates and therefore cannot be deployed. -type: application - -# This is the chart version. This version number should be incremented each time you make changes -# to the chart and its templates, including the app version. -# Versions are expected to follow Semantic Versioning (https://semver.org/) -version: "0.1.0" - -# This is the version number of the application being deployed. This version number should be -# incremented each time you make changes to the application. Versions are not expected to -# follow Semantic Versioning. They should reflect the version the application is using. -# It is recommended to use it with quotes. -appVersion: "0.1.0" diff --git a/dp-terraform/helm/rhacs-terraform/charts/secured-cluster/README.md b/dp-terraform/helm/rhacs-terraform/charts/secured-cluster/README.md deleted file mode 100644 index 883fa3a7b4..0000000000 --- a/dp-terraform/helm/rhacs-terraform/charts/secured-cluster/README.md +++ /dev/null @@ -1,52 +0,0 @@ -# Data plane terraform secured-cluster Helm chart - -This chart simply installs a `SecuredCluster` CR and the dependent secrets -required to authenticate against a Central instance. - -## Custom resource definitions - -The initial deployment of the chart requires the installation of the `SecuredCluster` -custom resource definition. It's required to define the customized `stackrox-secured-cluster-services` -custom resource in the template folder. Helm installs all CRDs inside the `crds/` folder -on the first run. Afterwards OLM and the observability operator itself keep the CRDs up to date. -See the [Helm documentation](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#some-caveats-and-explanations) -for some caveats and explanations of this approach. - -The following commands generate `crds/secured-cluster.yaml`: - -``` -TAG=4.3.1 -wget https://raw.githubusercontent.com/stackrox/stackrox/$TAG/operator/bundle/manifests/platform.stackrox.io_securedclusters.yaml -mv platform.stackrox.io_securedclusters.yaml secured-cluster.yaml -``` - -The `centrals.platform.stackrox.io` CRD will need to be deleted from the output file. - -## Usage - - -Create a file `~/acs-terraform-secured-cluster-values.yaml` with the values for the parameters in [values.yaml](./values.yaml) that are missing or that you want to override. That file will contain credentials, so make sure you put it in a safe location, and with suitable permissions. - -**Render the chart to see the generated templates during development** - -```bash -helm template secured-cluster \ - --debug \ - --namespace rhacs \ - --values ~/acs-terraform-obs-values.yaml . -``` - -**Install or update the chart** - -```bash -helm upgrade --install secured-cluster \ - --namespace rhacs \ - --create-namespace \ - --values ~/acs-terraform-obs-values.yaml . -``` - -**Uninstall the chart and cleanup all created resources** - -```bash -helm uninstall secured-cluster --namespace rhacs -``` diff --git a/dp-terraform/helm/rhacs-terraform/charts/secured-cluster/crds/secured-cluster.yaml b/dp-terraform/helm/rhacs-terraform/charts/secured-cluster/crds/secured-cluster.yaml deleted file mode 100644 index b12d7fe1b5..0000000000 --- a/dp-terraform/helm/rhacs-terraform/charts/secured-cluster/crds/secured-cluster.yaml +++ /dev/null @@ -1,1116 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.12.1 - creationTimestamp: null - name: securedclusters.platform.stackrox.io -spec: - group: platform.stackrox.io - names: - kind: SecuredCluster - listKind: SecuredClusterList - plural: securedclusters - singular: securedcluster - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: SecuredCluster is the configuration template for the secured - cluster services. These include Sensor, which is responsible for the connection - to Central, and Collector, which performs host-level collection of process - and network events.

**Important:** Please see the _Installation Prerequisites_ - on the main RHACS operator page before deploying, or consult the RHACS documentation - on creating cluster init bundles. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: SecuredClusterSpec defines the desired configuration state - of a secured cluster. - properties: - admissionControl: - description: Settings for the Admission Control component, which is - necessary for preventive policy enforcement, and for Kubernetes - event monitoring. - properties: - bypass: - default: BreakGlassAnnotation - description: Enables teams to bypass admission control in a monitored - manner in the event of an emergency. - enum: - - BreakGlassAnnotation - - Disabled - type: string - contactImageScanners: - default: DoNotScanInline - description: Should inline scanning be performed on previously - unscanned images during a deployments admission review. - enum: - - ScanIfMissing - - DoNotScanInline - type: string - listenOnCreates: - default: true - description: Set this to 'true' to enable preventive policy enforcement - for object creations. - type: boolean - listenOnEvents: - default: true - description: Set this to 'true' to enable monitoring and enforcement - for Kubernetes events (port-forward and exec). - type: boolean - listenOnUpdates: - default: true - description: "Set this to 'true' to enable preventive policy enforcement - for object updates. \n Note: this will not have any effect unless - 'Listen On Creates' is set to 'true' as well." - type: boolean - nodeSelector: - additionalProperties: - type: string - description: If you want this component to only run on specific - nodes, you can configure a node selector here. - type: object - replicas: - default: 3 - description: The number of replicas of the admission control pod. - format: int32 - minimum: 1 - type: integer - resources: - description: Allows overriding the default resource settings for - this component. Please consult the documentation for an overview - of default resource requirements and a sizing guide. - properties: - claims: - description: "Claims lists the names of resources, defined - in spec.resourceClaims, that are used by this container. - \n This is an alpha field and requires enabling the DynamicResourceAllocation - feature gate. \n This field is immutable. It can only be - set for containers." - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: Name must match the name of one entry in - pod.spec.resourceClaims of the Pod where this field - is used. It makes that resource available inside a - container. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute - resources required. If Requests is omitted for a container, - it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. Requests cannot exceed - Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - type: object - timeoutSeconds: - default: 20 - description: Maximum timeout period for admission review, upon - which admission review will fail open. Use it to set request - timeouts when you enable inline image scanning. The default - kubectl timeout is 30 seconds; taking padding into account, - this should not exceed 25 seconds. - format: int32 - maximum: 25 - minimum: 1 - type: integer - tolerations: - description: If you want this component to only run on specific - nodes, you can configure tolerations of tainted nodes. - items: - description: The pod this Toleration is attached to tolerates - any taint that matches the triple using - the matching operator . - properties: - effect: - description: Effect indicates the taint effect to match. - Empty means match all taint effects. When specified, allowed - values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: Key is the taint key that the toleration applies - to. Empty means match all taint keys. If the key is empty, - operator must be Exists; this combination means to match - all values and all keys. - type: string - operator: - description: Operator represents a key's relationship to - the value. Valid operators are Exists and Equal. Defaults - to Equal. Exists is equivalent to wildcard for value, - so that a pod can tolerate all taints of a particular - category. - type: string - tolerationSeconds: - description: TolerationSeconds represents the period of - time the toleration (which must be of effect NoExecute, - otherwise this field is ignored) tolerates the taint. - By default, it is not set, which means tolerate the taint - forever (do not evict). Zero and negative values will - be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: Value is the taint value the toleration matches - to. If the operator is Exists, the value should be empty, - otherwise just a regular string. - type: string - type: object - type: array - type: object - auditLogs: - description: Settings relating to the ingestion of Kubernetes audit - logs. - properties: - collection: - default: Auto - description: Whether collection of Kubernetes audit logs should - be enabled or disabled. Currently, this is only supported on - OpenShift 4, and trying to enable it on non-OpenShift 4 clusters - will result in an error. Use the 'Auto' setting to enable it - on compatible environments, and disable it elsewhere. - enum: - - Auto - - Disabled - - Enabled - type: string - type: object - centralEndpoint: - description: 'The endpoint of the Red Hat Advanced Cluster Security - Central instance to connect to, including the port number. If using - a non-gRPC capable load balancer, use the WebSocket protocol by - prefixing the endpoint address with wss://. Note: when leaving this - blank, Sensor will attempt to connect to a Central instance running - in the same namespace.' - type: string - clusterLabels: - additionalProperties: - type: string - description: Custom labels associated with a secured cluster in Red - Hat Advanced Cluster Security. - type: object - clusterName: - description: 'The unique name of this cluster, as it will be shown - in the Red Hat Advanced Cluster Security UI. Note: Once a name is - set here, you will not be able to change it again. You will need - to delete and re-create this object in order to register a cluster - with a new name.' - type: string - customize: - description: Customizations to apply on all Central Services components. - properties: - annotations: - additionalProperties: - type: string - description: Custom annotations to set on all managed objects. - type: object - envVars: - description: Custom environment variables to set on managed pods' - containers. - items: - description: EnvVar represents an environment variable present - in a Container. - properties: - name: - description: Name of the environment variable. Must be a - C_IDENTIFIER. - type: string - value: - description: 'Variable references $(VAR_NAME) are expanded - using the previously defined environment variables in - the container and any service environment variables. If - a variable cannot be resolved, the reference in the input - string will be unchanged. Double $$ are reduced to a single - $, which allows for escaping the $(VAR_NAME) syntax: i.e. - "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless - of whether the variable exists or not. Defaults to "".' - type: string - valueFrom: - description: Source for the environment variable's value. - Cannot be used if value is not empty. - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - fieldRef: - description: 'Selects a field of the pod: supports metadata.name, - metadata.namespace, `metadata.labels['''']`, - `metadata.annotations['''']`, spec.nodeName, - spec.serviceAccountName, status.hostIP, status.podIP, - status.podIPs.' - properties: - apiVersion: - description: Version of the schema the FieldPath - is written in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select in the - specified API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - resourceFieldRef: - description: 'Selects a resource of the container: only - resources limits and requests (limits.cpu, limits.memory, - limits.ephemeral-storage, requests.cpu, requests.memory - and requests.ephemeral-storage) are currently supported.' - properties: - containerName: - description: 'Container name: required for volumes, - optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format of the - exposed resources, defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - secretKeyRef: - description: Selects a key of a secret in the pod's - namespace - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - required: - - name - type: object - type: array - labels: - additionalProperties: - type: string - description: Custom labels to set on all managed objects. - type: object - type: object - imagePullSecrets: - description: Additional image pull secrets to be taken into account - for pulling images. - items: - description: LocalSecretReference is a reference to a secret within - the same namespace. - properties: - name: - description: The name of the referenced secret. - type: string - required: - - name - type: object - type: array - misc: - description: Miscellaneous settings. - properties: - createSCCs: - description: Set this to true to have the operator create SecurityContextConstraints - (SCCs) for the operands. This isn't usually needed, and may - interfere with other workloads. - type: boolean - type: object - monitoring: - description: Monitoring configuration. - properties: - openshift: - description: OpenShiftMonitoring defines settings related to OpenShift - Monitoring - properties: - enabled: - default: true - type: boolean - required: - - enabled - type: object - type: object - overlays: - description: Overlays - items: - description: "K8sObjectOverlay is an overlay that applies a set - of patches to a resource. It targets a resource by its API version, - kind, and name, and applies a list of patches to this resource. - \n # Examples \n ## Adding an annotation to a resource \n apiVersion: - v1 kind: ServiceAccount name: central patches: - path: metadata.annotations.eks\\.amazonaws\\.com/role-arn - value: \"\\\"arn:aws:iam:1234:role\\\"\" \n ## Adding an environment - variable to a deployment \n apiVersion: apps/v1 kind: Deployment - name: central patches: - path: spec.template.spec.containers[name:central].env[-1] - value: | name: MY_ENV_VAR value: value \n ## Adding an ingress - to a network policy \n apiVersion: networking.k8s.io/v1 kind: - NetworkPolicy name: allow-ext-to-central patches: - path: spec.ingress[-1] - value: | ports: - port: 999 protocol: TCP \n ## Changing the value - of a configMap \n apiVersion: v1 kind: ConfigMap name: central-endpoints - patches: - path: data value: | endpoints.yaml: | disableDefault: - false \n ## Adding a container to a deployment \n apiVersion: - apps/v1 kind: Deployment name: central patches: - path: spec.template.spec.containers[-1] - value: | name: nginx image: nginx ports: - containerPort: 8000 - name: http protocol: TCP" - properties: - apiVersion: - description: Resource API version. - type: string - kind: - description: Resource kind. - type: string - name: - description: Name of resource. - type: string - patches: - description: List of patches to apply to resource. - items: - description: K8sObjectOverlayPatch defines a patch to apply - to a resource. - properties: - path: - description: Path of the form a.[key1:value1].b.[:value2] - Where [key1:value1] is a selector for a key-value pair - to identify a list element and [:value] is a value selector - to identify a list element in a leaf list. All path - intermediate nodes must exist. - type: string - value: - description: Value to add, delete or replace. For add, - the path should be a new leaf. For delete, value should - be unset. For replace, path should reference an existing - node. All values are strings but are converted into - appropriate type based on schema. - type: string - type: object - type: array - type: object - type: array - perNode: - description: Settings for the components running on each node in the - cluster (Collector and Compliance). - properties: - collector: - description: Settings for the Collector container, which is responsible - for collecting process and networking activity at the host level. - properties: - collection: - default: EBPF - description: The method for system-level data collection. - EBPF is recommended. If you select "NoCollection", you will - not be able to see any information about network activity - and process executions. The remaining settings in these - section will not have any effect. - enum: - - EBPF - - CORE_BPF - - NoCollection - - KernelModule - type: string - imageFlavor: - default: Regular - description: The image flavor to use for collector. "Regular" - images are bigger in size, but contain probes for most kernels. - If you use the "Slim" image flavor, you must ensure that - your Central instance is connected to the internet, or regularly - receives Collector Support Package updates (for further - instructions, please refer to the documentation). - enum: - - Regular - - Slim - type: string - resources: - description: Allows overriding the default resource settings - for this component. Please consult the documentation for - an overview of default resource requirements and a sizing - guide. - properties: - claims: - description: "Claims lists the names of resources, defined - in spec.resourceClaims, that are used by this container. - \n This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. \n This field - is immutable. It can only be set for containers." - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: Name must match the name of one entry - in pod.spec.resourceClaims of the Pod where this - field is used. It makes that resource available - inside a container. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of - compute resources required. If Requests is omitted for - a container, it defaults to Limits if that is explicitly - specified, otherwise to an implementation-defined value. - Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - type: object - type: object - compliance: - description: Settings for the Compliance container, which is responsible - for checking host-level configurations. - properties: - resources: - description: Allows overriding the default resource settings - for this component. Please consult the documentation for - an overview of default resource requirements and a sizing - guide. - properties: - claims: - description: "Claims lists the names of resources, defined - in spec.resourceClaims, that are used by this container. - \n This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. \n This field - is immutable. It can only be set for containers." - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: Name must match the name of one entry - in pod.spec.resourceClaims of the Pod where this - field is used. It makes that resource available - inside a container. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of - compute resources required. If Requests is omitted for - a container, it defaults to Limits if that is explicitly - specified, otherwise to an implementation-defined value. - Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - type: object - type: object - nodeInventory: - description: Settings for the Node-Inventory container, which - is responsible for scanning the Nodes' filesystem. - properties: - resources: - description: Allows overriding the default resource settings - for this component. Please consult the documentation for - an overview of default resource requirements and a sizing - guide. - properties: - claims: - description: "Claims lists the names of resources, defined - in spec.resourceClaims, that are used by this container. - \n This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. \n This field - is immutable. It can only be set for containers." - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: Name must match the name of one entry - in pod.spec.resourceClaims of the Pod where this - field is used. It makes that resource available - inside a container. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of - compute resources required. If Requests is omitted for - a container, it defaults to Limits if that is explicitly - specified, otherwise to an implementation-defined value. - Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - type: object - type: object - taintToleration: - default: TolerateTaints - description: To ensure comprehensive monitoring of your cluster - activity, Red Hat Advanced Cluster Security will run services - on every node in the cluster, including tainted nodes by default. - If you do not want this behavior, please select 'AvoidTaints' - here. - enum: - - TolerateTaints - - AvoidTaints - type: string - type: object - registryOverride: - description: Set this parameter to override the default registry in - images. For example, nginx:latest -> /library/nginx:latest - type: string - scanner: - description: Settings for the Scanner component, which is responsible - for vulnerability scanning of container images stored in a cluster-local - image repository. - properties: - analyzer: - description: Settings pertaining to the analyzer deployment, such - as for autoscaling. - properties: - nodeSelector: - additionalProperties: - type: string - description: If you want this component to only run on specific - nodes, you can configure a node selector here. - type: object - resources: - description: Allows overriding the default resource settings - for this component. Please consult the documentation for - an overview of default resource requirements and a sizing - guide. - properties: - claims: - description: "Claims lists the names of resources, defined - in spec.resourceClaims, that are used by this container. - \n This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. \n This field - is immutable. It can only be set for containers." - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: Name must match the name of one entry - in pod.spec.resourceClaims of the Pod where this - field is used. It makes that resource available - inside a container. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of - compute resources required. If Requests is omitted for - a container, it defaults to Limits if that is explicitly - specified, otherwise to an implementation-defined value. - Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - type: object - scaling: - description: Controls the number of analyzer replicas and - autoscaling. - properties: - autoScaling: - default: Enabled - description: When enabled, the number of analyzer replicas - is managed dynamically based on the load, within the - limits specified below. - enum: - - Enabled - - Disabled - type: string - maxReplicas: - default: 5 - format: int32 - minimum: 1 - type: integer - minReplicas: - default: 2 - format: int32 - minimum: 1 - type: integer - replicas: - default: 3 - description: When autoscaling is disabled, the number - of replicas will always be configured to match this - value. - format: int32 - minimum: 1 - type: integer - type: object - tolerations: - description: If you want this component to only run on specific - nodes, you can configure tolerations of tainted nodes. - items: - description: The pod this Toleration is attached to tolerates - any taint that matches the triple using - the matching operator . - properties: - effect: - description: Effect indicates the taint effect to match. - Empty means match all taint effects. When specified, - allowed values are NoSchedule, PreferNoSchedule and - NoExecute. - type: string - key: - description: Key is the taint key that the toleration - applies to. Empty means match all taint keys. If the - key is empty, operator must be Exists; this combination - means to match all values and all keys. - type: string - operator: - description: Operator represents a key's relationship - to the value. Valid operators are Exists and Equal. - Defaults to Equal. Exists is equivalent to wildcard - for value, so that a pod can tolerate all taints of - a particular category. - type: string - tolerationSeconds: - description: TolerationSeconds represents the period - of time the toleration (which must be of effect NoExecute, - otherwise this field is ignored) tolerates the taint. - By default, it is not set, which means tolerate the - taint forever (do not evict). Zero and negative values - will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: Value is the taint value the toleration - matches to. If the operator is Exists, the value should - be empty, otherwise just a regular string. - type: string - type: object - type: array - type: object - db: - description: Settings pertaining to the database used by the Red - Hat Advanced Cluster Security Scanner. - properties: - nodeSelector: - additionalProperties: - type: string - description: If you want this component to only run on specific - nodes, you can configure a node selector here. - type: object - resources: - description: Allows overriding the default resource settings - for this component. Please consult the documentation for - an overview of default resource requirements and a sizing - guide. - properties: - claims: - description: "Claims lists the names of resources, defined - in spec.resourceClaims, that are used by this container. - \n This is an alpha field and requires enabling the - DynamicResourceAllocation feature gate. \n This field - is immutable. It can only be set for containers." - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: Name must match the name of one entry - in pod.spec.resourceClaims of the Pod where this - field is used. It makes that resource available - inside a container. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of - compute resources required. If Requests is omitted for - a container, it defaults to Limits if that is explicitly - specified, otherwise to an implementation-defined value. - Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - type: object - tolerations: - description: If you want this component to only run on specific - nodes, you can configure tolerations of tainted nodes. - items: - description: The pod this Toleration is attached to tolerates - any taint that matches the triple using - the matching operator . - properties: - effect: - description: Effect indicates the taint effect to match. - Empty means match all taint effects. When specified, - allowed values are NoSchedule, PreferNoSchedule and - NoExecute. - type: string - key: - description: Key is the taint key that the toleration - applies to. Empty means match all taint keys. If the - key is empty, operator must be Exists; this combination - means to match all values and all keys. - type: string - operator: - description: Operator represents a key's relationship - to the value. Valid operators are Exists and Equal. - Defaults to Equal. Exists is equivalent to wildcard - for value, so that a pod can tolerate all taints of - a particular category. - type: string - tolerationSeconds: - description: TolerationSeconds represents the period - of time the toleration (which must be of effect NoExecute, - otherwise this field is ignored) tolerates the taint. - By default, it is not set, which means tolerate the - taint forever (do not evict). Zero and negative values - will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: Value is the taint value the toleration - matches to. If the operator is Exists, the value should - be empty, otherwise just a regular string. - type: string - type: object - type: array - type: object - scannerComponent: - default: AutoSense - description: If you do not want to deploy the Red Hat Advanced - Cluster Security Scanner, you can disable it here (not recommended). - If you do so, all the settings in this section will have no - effect. - enum: - - AutoSense - - Disabled - type: string - type: object - sensor: - description: Settings for the Sensor component. - properties: - nodeSelector: - additionalProperties: - type: string - description: If you want this component to only run on specific - nodes, you can configure a node selector here. - type: object - resources: - description: Allows overriding the default resource settings for - this component. Please consult the documentation for an overview - of default resource requirements and a sizing guide. - properties: - claims: - description: "Claims lists the names of resources, defined - in spec.resourceClaims, that are used by this container. - \n This is an alpha field and requires enabling the DynamicResourceAllocation - feature gate. \n This field is immutable. It can only be - set for containers." - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: Name must match the name of one entry in - pod.spec.resourceClaims of the Pod where this field - is used. It makes that resource available inside a - container. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute - resources required. If Requests is omitted for a container, - it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. Requests cannot exceed - Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - type: object - tolerations: - description: If you want this component to only run on specific - nodes, you can configure tolerations of tainted nodes. - items: - description: The pod this Toleration is attached to tolerates - any taint that matches the triple using - the matching operator . - properties: - effect: - description: Effect indicates the taint effect to match. - Empty means match all taint effects. When specified, allowed - values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: Key is the taint key that the toleration applies - to. Empty means match all taint keys. If the key is empty, - operator must be Exists; this combination means to match - all values and all keys. - type: string - operator: - description: Operator represents a key's relationship to - the value. Valid operators are Exists and Equal. Defaults - to Equal. Exists is equivalent to wildcard for value, - so that a pod can tolerate all taints of a particular - category. - type: string - tolerationSeconds: - description: TolerationSeconds represents the period of - time the toleration (which must be of effect NoExecute, - otherwise this field is ignored) tolerates the taint. - By default, it is not set, which means tolerate the taint - forever (do not evict). Zero and negative values will - be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: Value is the taint value the toleration matches - to. If the operator is Exists, the value should be empty, - otherwise just a regular string. - type: string - type: object - type: array - type: object - tls: - description: Allows you to specify additional trusted Root CAs. - properties: - additionalCAs: - items: - description: AdditionalCA defines a certificate for an additional - Certificate Authority. - properties: - content: - description: PEM format - type: string - name: - description: Must be a valid file basename - type: string - required: - - content - - name - type: object - type: array - type: object - required: - - clusterName - type: object - status: - description: SecuredClusterStatus defines the observed state of SecuredCluster - properties: - clusterName: - description: The assigned cluster name per the spec. This cannot be - changed afterwards. If you need to change the cluster name, please - delete and recreate this resource. - type: string - conditions: - items: - description: StackRoxCondition defines a condition for a StackRox - custom resource. - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - description: ConditionReason is a type of values of condition - reason. - type: string - status: - description: ConditionStatus is a type of values of condition - status. - type: string - type: - description: ConditionType is a type of values of condition - type. - type: string - required: - - status - - type - type: object - type: array - deployedRelease: - description: StackRoxRelease describes the Helm "release" that was - most recently applied. - properties: - version: - type: string - type: object - productVersion: - description: The deployed version of the product. - type: string - required: - - conditions - type: object - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: null - storedVersions: null diff --git a/dp-terraform/helm/rhacs-terraform/charts/secured-cluster/init-bundle.yaml b/dp-terraform/helm/rhacs-terraform/charts/secured-cluster/init-bundle.yaml deleted file mode 100644 index 9b79ffee0f..0000000000 --- a/dp-terraform/helm/rhacs-terraform/charts/secured-cluster/init-bundle.yaml +++ /dev/null @@ -1,35 +0,0 @@ -admissionControl: - serviceTLS: - cert: | - -----BEGIN CERTIFICATE----- - cert data - -----END CERTIFICATE----- - key: | - -----BEGIN EC PRIVATE KEY----- - key data - -----END EC PRIVATE KEY----- -ca: - cert: | - -----BEGIN CERTIFICATE----- - cert data - -----END CERTIFICATE----- -collector: - serviceTLS: - cert: | - -----BEGIN CERTIFICATE----- - cert data - -----END CERTIFICATE----- - key: | - -----BEGIN EC PRIVATE KEY----- - key data - -----END EC PRIVATE KEY----- -sensor: - serviceTLS: - cert: | - -----BEGIN CERTIFICATE----- - cert data - -----END CERTIFICATE----- - key: | - -----BEGIN EC PRIVATE KEY----- - key data - -----END EC PRIVATE KEY----- diff --git a/dp-terraform/helm/rhacs-terraform/charts/secured-cluster/templates/_helpers.tpl b/dp-terraform/helm/rhacs-terraform/charts/secured-cluster/templates/_helpers.tpl deleted file mode 100644 index 19316e170a..0000000000 --- a/dp-terraform/helm/rhacs-terraform/charts/secured-cluster/templates/_helpers.tpl +++ /dev/null @@ -1,3 +0,0 @@ -{{- define "secured-cluster.namespace" }} -{{- printf "%s-%s" .Release.Namespace "secured-cluster" }} -{{- end }} diff --git a/dp-terraform/helm/rhacs-terraform/charts/secured-cluster/templates/secured-cluster-cr.yaml b/dp-terraform/helm/rhacs-terraform/charts/secured-cluster/templates/secured-cluster-cr.yaml deleted file mode 100644 index e99e29932b..0000000000 --- a/dp-terraform/helm/rhacs-terraform/charts/secured-cluster/templates/secured-cluster-cr.yaml +++ /dev/null @@ -1,115 +0,0 @@ -apiVersion: platform.stackrox.io/v1alpha1 -kind: SecuredCluster -metadata: - name: stackrox-secured-cluster-services - namespace: {{ include "secured-cluster.namespace" . }} - labels: - # Only one ACS Operator should reconcile a single CR instance. - # Label selector mechanism helps to specify which ACS Operator should reconcile the instance. - # The dogfooding instance has to be reconciled only by operator with `rhacs.redhat.com/selector=dogfooding` label selector. - rhacs.redhat.com/selector: dogfooding -spec: - {{- if .Values.pullSecret }} - imagePullSecrets: - - name: {{ .Values.pullSecret }} - {{- end }} - clusterName: {{ required "clusterName is required when secured-cluster is enabled" .Values.clusterName }} - centralEndpoint: {{ required "centralEndpoint is required when secured-cluster is enabled" .Values.centralEndpoint }} - admissionControl: - {{- if .Values.admissionControl.resources }} - resources: {{ toYaml .Values.admissionControl.resources | nindent 6 }} - {{- end }} - {{- if .Values.admissionControl.tolerations }} - tolerations: {{ toYaml .Values.admissionControl.tolerations | nindent 6 }} - {{- end }} - {{- if .Values.admissionControl.nodeSelector }} - nodeSelector: {{ toYaml .Values.admissionControl.nodeSelector | nindent 6 }} - {{- end }} - sensor: - {{- if .Values.sensor.resources }} - resources: {{ toYaml .Values.sensor.resources | nindent 6 }} - {{- end }} - {{- if .Values.sensor.tolerations }} - tolerations: {{ toYaml .Values.sensor.tolerations | nindent 6 }} - {{- end }} - {{- if .Values.sensor.nodeSelector }} - nodeSelector: {{ toYaml .Values.sensor.nodeSelector | nindent 6 }} - {{- end }} - perNode: - collector: - {{- if .Values.collector.resources }} - resources: {{ toYaml .Values.collector.resources | nindent 8 }} - {{- end }} - {{- if .Values.collector.collection }} - collection: {{ .Values.collector.collection | quote }} - {{- end }} - compliance: - {{- if .Values.compliance.resources }} - resources: {{ toYaml .Values.compliance.resources | nindent 8 }} - {{- end }} - nodeInventory: - {{- if .Values.nodeInventory.resources }} - resources: {{ toYaml .Values.nodeInventory.resources | nindent 8 }} - {{- end }} - - scanner: - {{- if .Values.scanner.scannerComponent }} - scannerComponent: {{ .Values.scanner.scannerComponent }} - {{- end }} - analyzer: - {{- if .Values.scanner.analyzer.resources }} - resources: {{ toYaml .Values.scanner.analyzer.resources | nindent 8 }} - {{- end }} - {{- if .Values.scanner.analyzer.tolerations }} - tolerations: {{ toYaml .Values.scanner.analyzer.tolerations | nindent 8 }} - {{- end }} - {{- if .Values.scanner.analyzer.nodeSelector }} - nodeSelector: {{ toYaml .Values.scanner.analyzer.nodeSelector | nindent 8 }} - {{- end }} - db: - {{- if .Values.scanner.db.resources }} - resources: {{ toYaml .Values.scanner.db.resources | nindent 8 }} - {{- end }} - {{- if .Values.scanner.db.tolerations }} - tolerations: {{ toYaml .Values.scanner.db.tolerations | nindent 8 }} - {{- end }} - {{- if .Values.scanner.db.nodeSelector }} - nodeSelector: {{ toYaml .Values.scanner.db.nodeSelector | nindent 8 }} - {{- end }} - - scannerV4: - {{- if .Values.scannerV4.scannerComponent }} - scannerComponent: {{ .Values.scannerV4.scannerComponent }} - {{- end }} - indexer: - {{- if .Values.scannerV4.indexer.resources }} - resources: {{ toYaml .Values.scannerV4.indexer.resources | nindent 8 }} - {{- end }} - {{- if .Values.scannerV4.indexer.tolerations }} - tolerations: {{ toYaml .Values.scannerV4.indexer.tolerations | nindent 8 }} - {{- end }} - {{- if .Values.scannerV4.indexer.nodeSelector }} - nodeSelector: {{ toYaml .Values.scannerV4.indexer.nodeSelector | nindent 8 }} - {{- end }} - {{- if .Values.scannerV4.indexer.scaling }} - scaling: {{ toYaml .Values.scannerV4.indexer.scaling | nindent 8 }} - {{- end }} - - db: - {{- if .Values.scannerV4.db.resources }} - resources: {{ toYaml .Values.scannerV4.db.resources | nindent 8 }} - {{- end }} - {{- if .Values.scannerV4.db.tolerations }} - tolerations: {{ toYaml .Values.scannerV4.db.tolerations | nindent 8 }} - {{- end }} - {{- if .Values.scannerV4.db.nodeSelector }} - nodeSelector: {{ toYaml .Values.scannerV4.db.nodeSelector | nindent 8 }} - {{- end }} - # TODO(ROX-24119): Once the issue is fixed within the Helm chart we can remove this: - overlays: - - apiVersion: apps/v1 - kind: DaemonSet - name: collector - patches: - - path: spec.template.spec.containers[name:node-inventory].securityContext.privileged - value: "true" diff --git a/dp-terraform/helm/rhacs-terraform/charts/secured-cluster/templates/secured-cluster-namespace.yaml b/dp-terraform/helm/rhacs-terraform/charts/secured-cluster/templates/secured-cluster-namespace.yaml deleted file mode 100644 index b1c91748b0..0000000000 --- a/dp-terraform/helm/rhacs-terraform/charts/secured-cluster/templates/secured-cluster-namespace.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: {{ include "secured-cluster.namespace" . }} diff --git a/dp-terraform/helm/rhacs-terraform/charts/secured-cluster/templates/secured-cluster-secrets.yaml b/dp-terraform/helm/rhacs-terraform/charts/secured-cluster/templates/secured-cluster-secrets.yaml deleted file mode 100644 index 7c130c2de8..0000000000 --- a/dp-terraform/helm/rhacs-terraform/charts/secured-cluster/templates/secured-cluster-secrets.yaml +++ /dev/null @@ -1,114 +0,0 @@ -{{- if and (.Capabilities.APIVersions.Has "external-secrets.io/v1beta1") .Values.global.createExternalSecrets }} ---- -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: admission-control-tls - namespace: {{ include "secured-cluster.namespace" . }} -spec: - secretStoreRef: - name: {{ .Values.global.secretStore.aws.secretsManagerSecretStoreName }} - kind: ClusterSecretStore - target: - name: admission-control-tls - creationPolicy: Owner - template: - metadata: - annotations: - init-bundle.stackrox.io/name: {{ .Values.clusterName }} - data: - - secretKey: ca.pem # pragma: allowlist secret - remoteRef: - key: "secured-cluster" - property: "ca_cert" - - secretKey: admission-control-cert.pem # pragma: allowlist secret - remoteRef: - key: "secured-cluster" - property: "admission_control_cert" - - secretKey: admission-control-key.pem # pragma: allowlist secret - remoteRef: - key: "secured-cluster" - property: "admission_control_key" ---- -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: collector-tls - namespace: {{ include "secured-cluster.namespace" . }} -spec: - secretStoreRef: - name: {{ .Values.global.secretStore.aws.secretsManagerSecretStoreName }} - kind: ClusterSecretStore - target: - name: collector-tls - creationPolicy: Owner - template: - metadata: - annotations: - init-bundle.stackrox.io/name: {{ .Values.clusterName }} - data: - - secretKey: ca.pem # pragma: allowlist secret - remoteRef: - key: "secured-cluster" - property: "ca_cert" - - secretKey: collector-cert.pem # pragma: allowlist secret - remoteRef: - key: "secured-cluster" - property: "collector_cert" - - secretKey: collector-key.pem # pragma: allowlist secret - remoteRef: - key: "secured-cluster" - property: "collector_key" ---- -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: sensor-tls - namespace: {{ include "secured-cluster.namespace" . }} -spec: - secretStoreRef: - name: {{ .Values.global.secretStore.aws.secretsManagerSecretStoreName }} - kind: ClusterSecretStore - target: - name: sensor-tls - creationPolicy: Owner - template: - metadata: - annotations: - init-bundle.stackrox.io/name: {{ .Values.clusterName }} - data: - - secretKey: ca.pem # pragma: allowlist secret - remoteRef: - key: "secured-cluster" - property: "ca_cert" - - secretKey: sensor-cert.pem # pragma: allowlist secret - remoteRef: - key: "secured-cluster" - property: "sensor_cert" - - secretKey: sensor-key.pem # pragma: allowlist secret - remoteRef: - key: "secured-cluster" - property: "sensor_key" -{{- if and .Values.pullSecret .Values.createPullSecret }} ---- -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: {{ .Values.pullSecret }} - namespace: {{ include "secured-cluster.namespace" . }} -spec: - secretStoreRef: - name: {{ .Values.global.secretStore.aws.secretsManagerSecretStoreName }} - kind: ClusterSecretStore - target: - name: {{ .Values.pullSecret }} - creationPolicy: Owner - template: - type: kubernetes.io/dockerconfigjson - data: - - secretKey: .dockerconfigjson # pragma: allowlist secret - remoteRef: - key: "quay/rhacs-eng" - property: ".dockerconfigjson" -{{- end }} -{{- end }} diff --git a/dp-terraform/helm/rhacs-terraform/charts/secured-cluster/test.sh b/dp-terraform/helm/rhacs-terraform/charts/secured-cluster/test.sh deleted file mode 100755 index d6b9272e99..0000000000 --- a/dp-terraform/helm/rhacs-terraform/charts/secured-cluster/test.sh +++ /dev/null @@ -1,27 +0,0 @@ -#!/usr/bin/env bash -set -eo pipefail - -SECURED_CLUSTER_CLUSTER_NAME="test-cluster" -SECURED_CLUSTER_CENTRAL_ENDPOINT="central-endpoint" -SECURED_CLUSTER_CA_CERT="$(yq .ca.cert init-bundle.yaml)" -SECURED_CLUSTER_ADMISSION_CONTROL_CERT="$(yq .admissionControl.serviceTLS.cert init-bundle.yaml)" -SECURED_CLUSTER_ADMISSION_CONTROL_KEY="$(yq .admissionControl.serviceTLS.key init-bundle.yaml)" -SECURED_CLUSTER_COLLECTOR_CERT="$(yq .collector.serviceTLS.cert init-bundle.yaml)" -SECURED_CLUSTER_COLLECTOR_KEY="$(yq .collector.serviceTLS.key init-bundle.yaml)" -SECURED_CLUSTER_SENSOR_CERT="$(yq .sensor.serviceTLS.cert init-bundle.yaml)" -SECURED_CLUSTER_SENSOR_KEY="$(yq .sensor.serviceTLS.key init-bundle.yaml)" - -helm template secured-cluster \ - --debug \ - --include-crds \ - --namespace rhacs \ - --set clusterName="${SECURED_CLUSTER_CLUSTER_NAME}" \ - --set centralEndpoint="${SECURED_CLUSTER_CENTRAL_ENDPOINT}" \ - --set ca.cert="${SECURED_CLUSTER_CA_CERT}" \ - --set admissionControl.serviceTLS.cert="${SECURED_CLUSTER_ADMISSION_CONTROL_CERT}" \ - --set admissionControl.serviceTLS.key="${SECURED_CLUSTER_ADMISSION_CONTROL_KEY}" \ - --set collector.serviceTLS.cert="${SECURED_CLUSTER_COLLECTOR_CERT}" \ - --set collector.serviceTLS.key="${SECURED_CLUSTER_COLLECTOR_KEY}" \ - --set sensor.serviceTLS.cert="${SECURED_CLUSTER_SENSOR_CERT}" \ - --set sensor.serviceTLS.key="${SECURED_CLUSTER_SENSOR_KEY}" \ - . diff --git a/dp-terraform/helm/rhacs-terraform/charts/secured-cluster/values.yaml b/dp-terraform/helm/rhacs-terraform/charts/secured-cluster/values.yaml deleted file mode 100644 index abba2b5607..0000000000 --- a/dp-terraform/helm/rhacs-terraform/charts/secured-cluster/values.yaml +++ /dev/null @@ -1,72 +0,0 @@ -# Optional name of a secret that should be used by the SecuredCluster -# deployments to pull images -pullSecret: "" -createPullSecret: false - -clusterName: "" -centralEndpoint: "" -admissionControl: - resources: - requests: - memory: 150Mi - cpu: 100m - limits: - memory: 150Mi - tolerations: [] - nodeSelector: {} -collector: - resources: - requests: - memory: 350Mi - cpu: 10m - limits: - memory: 350Mi - collection: "CORE_BPF" -compliance: - resources: - requests: - memory: 140Mi - cpu: 100m - limits: - memory: 140Mi -nodeInventory: - resources: - requests: - memory: 180Mi - cpu: 20m - limits: - memory: 180Mi -scanner: - scannerComponent: null - analyzer: - tolerations: [] - nodeSelector: {} - resources: - requests: - memory: 100Mi - cpu: 100m - db: - tolerations: [] - nodeSelector: {} - resources: - requests: - memory: 100Mi - cpu: 100m -scannerV4: - scannerComponent: null - indexer: - tolerations: [] - nodeSelector: {} - scaling: null - db: - tolerations: [] - nodeSelector: {} -sensor: - resources: - requests: - memory: 3500Mi - cpu: 10m - limits: - memory: 3500Mi - tolerations: [] - nodeSelector: {} diff --git a/dp-terraform/helm/rhacs-terraform/charts/vertical-pod-autoscaler/.helmignore b/dp-terraform/helm/rhacs-terraform/charts/vertical-pod-autoscaler/.helmignore deleted file mode 100644 index 0e8a0eb36f..0000000000 --- a/dp-terraform/helm/rhacs-terraform/charts/vertical-pod-autoscaler/.helmignore +++ /dev/null @@ -1,23 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/dp-terraform/helm/rhacs-terraform/charts/vertical-pod-autoscaler/Chart.yaml b/dp-terraform/helm/rhacs-terraform/charts/vertical-pod-autoscaler/Chart.yaml deleted file mode 100644 index c512a60bbc..0000000000 --- a/dp-terraform/helm/rhacs-terraform/charts/vertical-pod-autoscaler/Chart.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v2 -name: vertical-pod-autoscaler -description: "Chart to install vertical pod autoscaler" -type: application -version: "0.1.0" -appVersion: "0.1.0" diff --git a/dp-terraform/helm/rhacs-terraform/charts/vertical-pod-autoscaler/values.yaml b/dp-terraform/helm/rhacs-terraform/charts/vertical-pod-autoscaler/values.yaml deleted file mode 100644 index 548e81226e..0000000000 --- a/dp-terraform/helm/rhacs-terraform/charts/vertical-pod-autoscaler/values.yaml +++ /dev/null @@ -1,4 +0,0 @@ -enabled: true -# For HCP clusters, master nodes are hosted so VPA cannot use master node selectors -# because of that we need a way to overwrite initial selectors -nodeSelector: {} diff --git a/dp-terraform/helm/rhacs-terraform/templates/scc.yaml b/dp-terraform/helm/rhacs-terraform/templates/scc.yaml deleted file mode 100644 index 77c39be97c..0000000000 --- a/dp-terraform/helm/rhacs-terraform/templates/scc.yaml +++ /dev/null @@ -1,34 +0,0 @@ -{{- if .Values.scc.enabled }} -apiVersion: security.openshift.io/v1 -kind: SecurityContextConstraints -metadata: - annotations: - kubernetes.io/description: custom-acscs-ephemeral-volumes allows pods to use the node's ephemeral storage. This is needed until the clusters are upgraded to 4.12 where the anyuid SCC allows using ephemeral volumes by default - name: custom-acscs-ephemeral-volumes -runAsUser: - type: RunAsAny -seLinuxContext: - type: MustRunAs -fsGroup: - type: RunAsAny -allowHostDirVolumePlugin: false -allowHostIPC: false -allowHostNetwork: false -allowHostPID: false -allowHostPorts: false -allowPrivilegedContainer: false -readOnlyRootFilesystem: false -allowPrivilegeEscalation: true -requiredDropCapabilities: - - MKNOD -supplementalGroups: - type: RunAsAny -volumes: - - configMap - - downwardAPI - - emptyDir - - persistentVolumeClaim - - projected - - secret - - ephemeral -{{- end }} diff --git a/dp-terraform/helm/rhacs-terraform/values.yaml b/dp-terraform/helm/rhacs-terraform/values.yaml index 03723dda13..623f3954ab 100644 --- a/dp-terraform/helm/rhacs-terraform/values.yaml +++ b/dp-terraform/helm/rhacs-terraform/values.yaml @@ -99,100 +99,6 @@ emailsender: cpu: "200m" memory: "512Mi" -# See available parameters in charts/cloudwatch/values.yaml -# - enabled flag is used to completely enable/disable cloudwatch sub-chart -cloudwatch: - enabled: true - clusterName: "" - environment: "" - tolerations: - - key: node-role.kubernetes.io/acscs-infra - operator: Exists - effect: NoSchedule - nodeSelector: - node-role.kubernetes.io/acscs-infra: "" - -# See available parameters in charts/audit-logs/values.yaml -# - enabled flag is used to completely enable/disable logging sub-chart -audit-logs: - enabled: true - image: 'registry.redhat.io/openshift-logging/vector-rhel8:v0.28' - annotations: {} - replicas: 3 - tolerations: - - key: node-role.kubernetes.io/acscs-infra - operator: Exists - effect: NoSchedule - nodeSelector: - node-role.kubernetes.io/acscs-infra: "" - persistence: - enabled: true - storageClassName: "" - size: 1Gi - secrets: - aws_role_arn: "" - -secured-cluster: - enabled: true - pullSecret: "" - clusterName: "" - centralEndpoint: "" - admissionControl: - tolerations: - - key: node-role.kubernetes.io/acscs-infra - operator: Exists - effect: NoSchedule - nodeSelector: - node-role.kubernetes.io/acscs-infra: "" - sensor: - tolerations: - - key: node-role.kubernetes.io/acscs-infra - operator: Exists - effect: NoSchedule - nodeSelector: - node-role.kubernetes.io/acscs-infra: "" - scanner: - scannerComponent: AutoSense - db: - tolerations: - - key: node-role.kubernetes.io/acscs-infra - operator: Exists - effect: NoSchedule - nodeSelector: - node-role.kubernetes.io/acscs-infra: "" - analyzer: - tolerations: - - key: node-role.kubernetes.io/acscs-infra - operator: Exists - effect: NoSchedule - nodeSelector: - node-role.kubernetes.io/acscs-infra: "" - scannerV4: - scannerComponent: AutoSense - db: - tolerations: - - key: node-role.kubernetes.io/acscs-infra - operator: Exists - effect: NoSchedule - nodeSelector: - node-role.kubernetes.io/acscs-infra: "" - indexer: - tolerations: - - key: node-role.kubernetes.io/acscs-infra - operator: Exists - effect: NoSchedule - nodeSelector: - node-role.kubernetes.io/acscs-infra: "" - -vertical-pod-autoscaler: - enabled: true - # For HCP clusters, master nodes are hosted so VPA cannot use master node selectors - # because of that we need a way to overwrite initial selectors - nodeSelector: {} - -scc: - enabled: true - global: image: tag: "latest" diff --git a/dp-terraform/test/helm_template_test.go b/dp-terraform/test/helm_template_test.go index e561db60c8..6479d63edf 100644 --- a/dp-terraform/test/helm_template_test.go +++ b/dp-terraform/test/helm_template_test.go @@ -16,7 +16,6 @@ func TestHelmTemplate_FleetshardSyncDeployment_ServiceAccountTokenAuthType(t *te t.Parallel() deployment := unmarshalFleetshardSyncDeployment(t, map[string]string{ - "secured-cluster.enabled": "false", "fleetshardSync.managedDB.enabled": "false", "fleetshardSync.authType": "SERVICE_ACCOUNT_TOKEN", }) @@ -111,7 +110,6 @@ func TestHelmTemplate_FleetshardSyncDeployment_Tenant(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { values := map[string]string{ - "secured-cluster.enabled": "false", "fleetshardSync.managedDB.enabled": "false", } @@ -179,7 +177,6 @@ func TestHelmTemplate_FleetshardSyncDeployment_Image(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { values := map[string]string{ - "secured-cluster.enabled": "false", "fleetshardSync.managedDB.enabled": "false", } @@ -239,7 +236,6 @@ func TestHelmTemplate_FleetshardSync_ImagePullSecret(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { values := map[string]string{ - "secured-cluster.enabled": "false", "fleetshardSync.managedDB.enabled": "false", "fleetshardSync.tenantImagePullSecret.create": tt.createPullSecret, } @@ -262,68 +258,6 @@ func TestHelmTemplate_FleetshardSync_ImagePullSecret(t *testing.T) { } } -func TestHelmTemplate_SecuredCluster_ImagePullSecret(t *testing.T) { - t.Parallel() - - tests := []struct { - name string - pullSecret string - createPullSecret string - wantPullSecret bool - }{ - { - name: "should not create secret when pull secret is not set and createPullSecret is false", - pullSecret: "", - createPullSecret: "false", - wantPullSecret: false, - }, - { - name: "should not create secret when pull secret is set and createPullSecret is false", - pullSecret: "quay-image-pull-secret", - createPullSecret: "false", - wantPullSecret: false, - }, - { - name: "should not create secret when pull secret is not set and createPullSecret is true", - pullSecret: "", - createPullSecret: "true", - wantPullSecret: false, - }, - { - name: "should create secret when pull secret is set and createPullSecret is true", - pullSecret: "quay-image-pull-secret", - createPullSecret: "true", - wantPullSecret: true, - }, - } - - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - values := map[string]string{ - "secured-cluster.clusterName": "test-cluster", - "secured-cluster.centralEndpoint": "https://localhost:8443", - "secured-cluster.createPullSecret": tt.createPullSecret, - "fleetshardSync.managedDB.enabled": "false", - } - if tt.pullSecret != "" { - values["secured-cluster.pullSecret"] = tt.pullSecret // pragma: allowlist secret - } - - output := renderTemplate(t, values, "charts/secured-cluster/templates/secured-cluster-secrets.yaml") - allRange := strings.Split(output, "---") - for _, rawOutput := range allRange[1:] { - var secret corev1.Secret - helm.UnmarshalK8SYaml(t, rawOutput, &secret) - if secret.Name == tt.pullSecret { - require.True(t, tt.wantPullSecret) - return - } - } - require.False(t, tt.wantPullSecret) - }) - } -} - func TestHelmTemplate_FleetshardSyncDeployment_ManagedDBTags(t *testing.T) { t.Parallel() @@ -336,7 +270,6 @@ func TestHelmTemplate_FleetshardSyncDeployment_ManagedDBTags(t *testing.T) { { name: "should not add env vars if managedDB is disabled", values: map[string]string{ - "secured-cluster.enabled": "false", "fleetshardSync.managedDB.enabled": "false", "fleetshardSync.managedDB.sharedTags[0].key": "tag1", "fleetshardSync.managedDB.sharedTags[0].value": "value1", @@ -346,7 +279,6 @@ func TestHelmTemplate_FleetshardSyncDeployment_ManagedDBTags(t *testing.T) { { name: "should add env vars if managedDB is enabled", values: map[string]string{ - "secured-cluster.enabled": "false", "fleetshardSync.managedDB.enabled": "true", "fleetshardSync.managedDB.subnetGroup": "dummy-subnet-group", "fleetshardSync.managedDB.securityGroup": "dummy-security-group", @@ -365,7 +297,6 @@ func TestHelmTemplate_FleetshardSyncDeployment_ManagedDBTags(t *testing.T) { { name: "should not add env vars if managedDB is enabled but no tags are provided", values: map[string]string{ - "secured-cluster.enabled": "false", "fleetshardSync.managedDB.enabled": "true", "fleetshardSync.managedDB.subnetGroup": "dummy-subnet-group", "fleetshardSync.managedDB.securityGroup": "dummy-security-group", diff --git a/scripts/ci/central_compatibility/emailsender-values.yaml b/scripts/ci/central_compatibility/emailsender-values.yaml index 41fec5ca4d..79baec53bd 100644 --- a/scripts/ci/central_compatibility/emailsender-values.yaml +++ b/scripts/ci/central_compatibility/emailsender-values.yaml @@ -19,6 +19,3 @@ emailsender: clusterName: test replicas: 1 authConfigFromKubernetes: true -secured-cluster: - clusterName: test - centralEndpoint: dummyEndpoint