From 1e7b695cb9a45c5b2d7247045e8aaae519215eb8 Mon Sep 17 00:00:00 2001 From: Arthur Date: Tue, 13 Feb 2024 21:21:10 -0500 Subject: [PATCH] feat: Update Sandbox Install Script --- kubernetes/quay/base/config.yaml | 2 +- kubernetes/quay/base/kyverno.yaml | 34 +++++++++ main.bash | 8 +- okd/okd-configuration/base/kustomization.yaml | 1 - .../overlays/okd/ingress-controller.yaml | 76 +++++++++++++++++++ .../overlays/okd/kustomization.yaml | 1 + .../overlays/sandbox/ingress-controller.yaml | 23 ++++++ .../overlays/sandbox/kustomization.yaml | 1 + 8 files changed, 141 insertions(+), 5 deletions(-) create mode 100644 okd/okd-configuration/overlays/okd/ingress-controller.yaml create mode 100644 okd/okd-configuration/overlays/sandbox/ingress-controller.yaml diff --git a/kubernetes/quay/base/config.yaml b/kubernetes/quay/base/config.yaml index 763efb1d8..00c7e04b0 100644 --- a/kubernetes/quay/base/config.yaml +++ b/kubernetes/quay/base/config.yaml @@ -1,6 +1,6 @@ FEATURE_APP_REGISTRY: true ALLOW_PULLS_WITHOUT_STRICT_LOGGING: false -AUTHENTICATION_TYPE: OIDC +AUTHENTICATION_TYPE: Database #OIDC ENTERPRISE_LOGO_URL: /static/img/quay-horizontal-color.svg FEATURE_BUILD_SUPPORT: false FEATURE_DIRECT_LOGIN: false diff --git a/kubernetes/quay/base/kyverno.yaml b/kubernetes/quay/base/kyverno.yaml index d53c45707..062aa77d4 100644 --- a/kubernetes/quay/base/kyverno.yaml +++ b/kubernetes/quay/base/kyverno.yaml @@ -74,3 +74,37 @@ spec: memory: 256Mi name: quay-mirror validationFailureAction: Audit +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: replace-quay-image + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + background: false + rules: + - name: replace-quay-image + match: + any: + - resources: + kinds: + - Pod + mutate: + patchStrategicMerge: + spec: + containers: + - (image): "quay.io/projectquay/quay:3.10.2" + image: "quay.io/projectquay/quay:v3.10.2" + - name: replace-quay-image-init + match: + any: + - resources: + kinds: + - Pod + mutate: + patchStrategicMerge: + spec: + initContainers: + - (image): "quay.io/projectquay/quay:3.10.2" + image: "quay.io/projectquay/quay:v3.10.2" diff --git a/main.bash b/main.bash index e8ee6f2d4..04a7df44e 100755 --- a/main.bash +++ b/main.bash @@ -880,9 +880,10 @@ install_okd() { mkdir -p "${OKD}/vm" echo -e "\n\n${BLUE}Download Dependencies:${NC}" + export OKD_VERSION=${OKD_VERSION:-latest} # tag/RELEASE_NAME # Download openshift-install and openshift-client - wget "$(curl https://api.github.com/repos/openshift/okd/releases/latest -L | grep openshift-install-linux | grep browser_download_url | grep -v arm | cut -d\" -f4)" -P ${OKD}/ - wget "$(curl https://api.github.com/repos/openshift/okd/releases/latest -L | grep openshift-client-linux | grep -v arm | grep browser_download_url | cut -d\" -f4)" -P ${OKD}/ + wget "$(curl https://api.github.com/repos/openshift/okd/releases/"${OKD_VERSION}" -L | grep openshift-install-linux | grep browser_download_url | grep -v arm | cut -d\" -f4)" -P ${OKD}/ + wget "$(curl https://api.github.com/repos/openshift/okd/releases/"${OKD_VERSION}" -L | grep openshift-client-linux | grep -v arm | grep browser_download_url | cut -d\" -f4)" -P ${OKD}/ tar xvzf ${OKD}/openshift-install-linux* -C ${OKD} tar xvzf ${OKD}/openshift-client-linux* -C ${OKD} @@ -938,12 +939,13 @@ install_okd() { terraform apply -auto-approve echo -e "\n\n${BLUE}Wait for Install To Complete:${NC}" - yq 'del(.spec.defaultCertificate)' "${HOMELAB}/okd/okd-configuration/base/certificates/ingress-controller.yaml" | ${OKD}/oc apply -f - + yq 'del(.spec.defaultCertificate)' "${HOMELAB}/okd/okd-configuration/overlays/sandbox/ingress-controller.yaml" | ${OKD}/oc apply -f - ${OKD}/openshift-install --dir=${OKD}/okd wait-for install-complete --log-level debug ${OKD}/oc apply -f "${HOMELAB}/okd/okd-configuration/base/operator-hub.yaml" ${OKD}/oc apply -f "${HOMELAB}/okd/okd-configuration/base/operators" + echo -e "\n\n${BLUE}Setup Image Mirroring:${NC}" sed 's/AllowContactingSource/NeverContactSource/' "${HOMELAB}"/okd/okd-configuration/base/image-mirror-set.yaml | kubectl apply -f - echo -e "\n\n${BLUE}Install Complete:${NC}" diff --git a/okd/okd-configuration/base/kustomization.yaml b/okd/okd-configuration/base/kustomization.yaml index 83299b019..608c129f5 100644 --- a/okd/okd-configuration/base/kustomization.yaml +++ b/okd/okd-configuration/base/kustomization.yaml @@ -10,7 +10,6 @@ resources: - certificates/api-certificate.yaml - certificates/api-server.yaml - certificates/ingress-certificate.yaml - - certificates/ingress-controller.yaml - operators/image-registry.yaml - operators/samples.yaml # - operators/insights.yaml diff --git a/okd/okd-configuration/overlays/okd/ingress-controller.yaml b/okd/okd-configuration/overlays/okd/ingress-controller.yaml new file mode 100644 index 000000000..6756c0676 --- /dev/null +++ b/okd/okd-configuration/overlays/okd/ingress-controller.yaml @@ -0,0 +1,76 @@ +apiVersion: operator.openshift.io/v1 +kind: IngressController +metadata: + name: default + namespace: openshift-ingress-operator + annotations: + ingress.operator.openshift.io/default-enable-http2: "true" + labels: + app.kubernetes.io/instance: okd-configuration +spec: + replicas: 2 + defaultCertificate: + name: ingress-certificate + # Kube Vip + endpointPublishingStrategy: + loadBalancer: + allowedSourceRanges: + # Need to Manually Add loadBalancerIP, hence patch below + # Also need to Scale entire Ingress Operator before making the change + - 10.0.0.131/32 + dnsManagementPolicy: Unmanaged + providerParameters: + type: BareMetal + scope: External + type: LoadBalancerService + ## HaProxy + # endpointPublishingStrategy: + # hostNetwork: + # protocol: PROXY + # type: HostNetwork + tlsSecurityProfile: + type: Modern + nodePlacement: + tolerations: + - key: node-role.kubernetes.io/infra + effect: NoSchedule + operator: Exists +--- +# Kube VIP +apiVersion: v1 +kind: Service +metadata: + annotations: + traffic-policy.network.alpha.openshift.io/local-with-fallback: "" + labels: + app: router + ingresscontroller.operator.openshift.io/owning-ingresscontroller: default + router: router-default + name: router-default + namespace: openshift-ingress +spec: + allocateLoadBalancerNodePorts: true + clusterIP: 172.30.55.53 + clusterIPs: + - 172.30.55.53 + externalTrafficPolicy: Local + healthCheckNodePort: 32014 + internalTrafficPolicy: Cluster + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + loadBalancerIP: 10.0.0.131 + loadBalancerSourceRanges: + - 10.0.0.131/32 + ports: + - name: http + nodePort: 32504 + port: 80 + targetPort: http + - name: https + nodePort: 32540 + port: 443 + targetPort: https + selector: + ingresscontroller.operator.openshift.io/deployment-ingresscontroller: default + type: LoadBalancer diff --git a/okd/okd-configuration/overlays/okd/kustomization.yaml b/okd/okd-configuration/overlays/okd/kustomization.yaml index 5c8fa3a26..5c023e35c 100644 --- a/okd/okd-configuration/overlays/okd/kustomization.yaml +++ b/okd/okd-configuration/overlays/okd/kustomization.yaml @@ -4,3 +4,4 @@ resources: - ../../base - ./wif.yaml - ./cluster-version.yaml + - ./ingress-controller.yaml diff --git a/okd/okd-configuration/overlays/sandbox/ingress-controller.yaml b/okd/okd-configuration/overlays/sandbox/ingress-controller.yaml new file mode 100644 index 000000000..74b5be001 --- /dev/null +++ b/okd/okd-configuration/overlays/sandbox/ingress-controller.yaml @@ -0,0 +1,23 @@ +apiVersion: operator.openshift.io/v1 +kind: IngressController +metadata: + name: default + namespace: openshift-ingress-operator + annotations: + ingress.operator.openshift.io/default-enable-http2: "true" + labels: + app.kubernetes.io/instance: okd-configuration +spec: + defaultCertificate: + name: ingress-certificate + endpointPublishingStrategy: + hostNetwork: + protocol: PROXY + type: HostNetwork + tlsSecurityProfile: + type: Modern + nodePlacement: + tolerations: + - key: node-role.kubernetes.io/infra + effect: NoSchedule + operator: Exists diff --git a/okd/okd-configuration/overlays/sandbox/kustomization.yaml b/okd/okd-configuration/overlays/sandbox/kustomization.yaml index 0d6753997..e8986fff8 100644 --- a/okd/okd-configuration/overlays/sandbox/kustomization.yaml +++ b/okd/okd-configuration/overlays/sandbox/kustomization.yaml @@ -2,6 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ../../base + - ./ingress-controller.yaml patches: - target: kind: APIServer