diff --git a/.gitignore b/.gitignore index 3f3db957..01d23719 100644 --- a/.gitignore +++ b/.gitignore @@ -7,3 +7,4 @@ pattern-vault.init vault.init super-linter.log common/pattern-vault.init +.cursor/* diff --git a/charts/all/groupsync/templates/eso-github-groupsync.yaml b/charts/all/groupsync/templates/eso-github-groupsync.yaml index efc8267b..5a94440c 100644 --- a/charts/all/groupsync/templates/eso-github-groupsync.yaml +++ b/charts/all/groupsync/templates/eso-github-groupsync.yaml @@ -4,7 +4,7 @@ {{- if not ($gs.disabled | default false) }} {{- $vaultKey := .Values.global.groupsync.githubAppKeyPath | default .Values.githubAppKeyPath | default "secret/data/hub/githubGroupSync" }} --- -apiVersion: "external-secrets.io/v1beta1" +apiVersion: "external-secrets.io/v1" kind: ExternalSecret metadata: name: {{ .Values.global.groupsync.secretName }} diff --git a/charts/all/hypershift/templates/eso-hypershift-aws.yaml b/charts/all/hypershift/templates/eso-hypershift-aws.yaml index fbcaecd3..2ad37b65 100644 --- a/charts/all/hypershift/templates/eso-hypershift-aws.yaml +++ b/charts/all/hypershift/templates/eso-hypershift-aws.yaml @@ -1,6 +1,6 @@ {{- if .Values.global.useExternalSecrets }} --- -apiVersion: "external-secrets.io/v1beta1" +apiVersion: "external-secrets.io/v1" kind: ExternalSecret metadata: name: hypershift-eso-aws diff --git a/charts/all/hypershift/values.yaml b/charts/all/hypershift/values.yaml index 360c901a..fb2fceb9 100644 --- a/charts/all/hypershift/values.yaml +++ b/charts/all/hypershift/values.yaml @@ -122,3 +122,5 @@ mce: enabled: "false" - name: cluster-api-provider-openshift-assisted enabled: "false" + - name: cluster-api-provider-azure-preview + enabled: "false" diff --git a/charts/all/kubelet-config/Chart.yaml b/charts/all/kubelet-config/Chart.yaml new file mode 100644 index 00000000..08b7cee5 --- /dev/null +++ b/charts/all/kubelet-config/Chart.yaml @@ -0,0 +1,9 @@ +apiVersion: v2 +name: kubelet-config +description: A Helm chart for configuring KubeletConfig to adjust maxPods + +type: application + +version: 0.1.0 + +appVersion: "0.1.0" diff --git a/charts/all/kubelet-config/templates/kubelet-config.yaml b/charts/all/kubelet-config/templates/kubelet-config.yaml new file mode 100644 index 00000000..2e3fa156 --- /dev/null +++ b/charts/all/kubelet-config/templates/kubelet-config.yaml @@ -0,0 +1,10 @@ +apiVersion: machineconfiguration.openshift.io/v1 +kind: KubeletConfig +metadata: + name: set-max-pods +spec: + machineConfigPoolSelector: + matchLabels: + pools.operator.machineconfiguration.openshift.io/{{ .Values.kubelet.targetPool }}: "" + kubeletConfig: + maxPods: {{ .Values.kubelet.maxPods }} diff --git a/charts/all/kubelet-config/values.yaml b/charts/all/kubelet-config/values.yaml new file mode 100644 index 00000000..e042edd7 --- /dev/null +++ b/charts/all/kubelet-config/values.yaml @@ -0,0 +1,6 @@ +# KubeletConfig settings +kubelet: + maxPods: 500 + # MachineConfigPool role segment: "worker" for normal clusters; "master" for compact/3-node + # hubs where all nodes are in the master pool (worker MCP has no machines). + targetPool: worker diff --git a/charts/all/oauth/templates/eso-github-oauth.yaml b/charts/all/oauth/templates/eso-github-oauth.yaml index fe2a751b..24698a86 100644 --- a/charts/all/oauth/templates/eso-github-oauth.yaml +++ b/charts/all/oauth/templates/eso-github-oauth.yaml @@ -1,5 +1,5 @@ --- -apiVersion: "external-secrets.io/v1beta1" +apiVersion: "external-secrets.io/v1" kind: ExternalSecret metadata: name: {{ .Values.global.oauth.secretName }} diff --git a/pattern-metadata.yaml b/pattern-metadata.yaml new file mode 100644 index 00000000..8e7c94f0 --- /dev/null +++ b/pattern-metadata.yaml @@ -0,0 +1,49 @@ +# This goal of this metadata is mainly used as a source of truth for +# documentation and qe +metadata_version: "1.0" +name: hypershift +description: An infrastructure pattern for deploying and managing OpenShift clusters using HyperShift. +pattern_version: "1.0" +display_name: HyperShift +repo_url: https://github.com/validatedpatterns-sandbox/hypershift +docs_repo_url: https://github.com/validatedpatterns/docs +issues_url: https://github.com/validatedpatterns-sandbox/hypershift/issues +docs_url: https://validatedpatterns.io/patterns/hypershift/ +ci_url: https://validatedpatterns.io/ci/?pattern=hypershift +# can be sandbox, tested or maintained +tier: tested +owners: day0hero +requirements: + hub: # Main cluster + compute: + platform: + gcp: + replicas: 3 + type: n1-standard-8 + azure: + replicas: 3 + type: Standard_D8s_v3 + aws: + replicas: 3 + type: m5.4xlarge + controlPlane: + platform: + gcp: + replicas: 3 + type: n1-standard-4 + azure: + replicas: 3 + type: Standard_D4s_v3 + aws: + replicas: 3 + type: m5.2xlarge + +# Loosely defined extra features like hypershift support, non-openshift +# kubernetes support, spoke support +extra_features: + hypershift_support: true + spoke_support: false + +external_requirements: +# external quay, s3 bucket, agof tokens to access paywalled material, manifests, rag-llm hw (only selected regions) +s3 bucket: true \ No newline at end of file diff --git a/values-global.yaml b/values-global.yaml index 1622259e..2899ceb3 100644 --- a/values-global.yaml +++ b/values-global.yaml @@ -8,7 +8,7 @@ global: installPlanApproval: Automatic main: - clusterGroupName: staging + clusterGroupName: prod multiSourceConfig: enabled: true clusterGroupChartVersion: 0.9.* diff --git a/values-hypershift.yaml b/values-hypershift.yaml index 0d7cf2ce..869922f8 100644 --- a/values-hypershift.yaml +++ b/values-hypershift.yaml @@ -5,16 +5,15 @@ global: createBucket: true oidc: # OIDC bucket information: provide region and bucketName - region: '' - bucketName: '' + region: "s3-bucket-region" + bucketName: "s3-bucket-name" # GitHub organization(s) — shared by oauth and group-sync github: orgs: - - name: 'github-org-name' + - name: 'gh-org-name' # Teams: Group Sync uses them for OpenShift groups. OAuth uses org/team slugs # for login when this list is non-empty; otherwise OAuth allows the whole org. - # Team names are case-sensitive and must match GitHub exactly, including hyphens. For example: Engineering, not engineering teams: [] # register a GitHub oAuth application: https://github.com/settings/applications/new @@ -25,7 +24,7 @@ global: type: GitHub secretName: ocp-github-oauth github: - clientID: 'github-app-client-id' + clientID: 'gh-oauth-client-id' # Group Sync Operator — syncs GitHub teams to OpenShift groups. # Vault secret githubGroupSync: `appId` = GitHub App ID (settings/apps → About), not installation ID; @@ -36,6 +35,12 @@ global: credentialsSecretName: github-group-sync url: https://api.github.com/ +# KubeletConfig (charts/all/kubelet-config). +# If cluster is compact 3-node hub: all nodes are on the master +# MachineConfigPool; the worker pool is empty, so targetPool must be master. +kubelet: + targetPool: worker + # Cluster Autoscaling Configuration # Enable autoscaling to automatically adjust cluster size based on workload demands autoscaling: @@ -74,8 +79,7 @@ autoscaling: # Set rbac.create to false if you want to skip creation of role/rolebinding. rbac: - create: false + create: true # Provide a list of users and/or groups to add to the clusterrolebinding -# Group and user names must match GitHub exactly, including hyphens. For example: Engineering, not engineering users: [] - groups: [] + groups: [] \ No newline at end of file diff --git a/values-prod.yaml b/values-prod.yaml index 6bba367a..57fb8ee9 100644 --- a/values-prod.yaml +++ b/values-prod.yaml @@ -3,14 +3,26 @@ clusterGroup: isHubCluster: true sharedValueFiles: - /values-hypershift.yaml + - '/overrides/values-{{ $.Values.global.clusterPlatform }}.yaml' + - '/overrides/values-{{ $.Values.global.clusterVersion }}-{{ $.Values.clusterGroup.name }}.yaml' namespaces: - - vault - - golang-external-secrets - - multicluster-engine - - group-sync-operator + vault: + multicluster-engine: + group-sync-operator: + golang-external-secrets: + disabled: true + external-secrets-operator: + operatorGroup: true + targetNamespaces: [] + external-secrets: subscriptions: + eso: + name: openshift-external-secrets-operator + namespace: external-secrets-operator + channel: stable-v1 + mce: name: multicluster-engine namespace: multicluster-engine @@ -22,7 +34,7 @@ clusterGroup: source: community-operators channel: alpha - projects: + argoProjects: - hub - hypershift @@ -35,33 +47,51 @@ clusterGroup: chartVersion: 0.1.* golang-external-secrets: - name: golang-external-secrets - namespace: golang-external-secrets - project: hub - chart: golang-external-secrets - chartVersion: 0.1.* + disabled: true + openshift-external-secrets: + name: openshift-external-secrets + namespace: external-secrets + argoProject: hub + chart: openshift-external-secrets + chartVersion: 0.0.* hypershift: disabled: false name: hypershift namespace: multicluster-engine - project: hypershift + argoProject: hypershift path: charts/all/hypershift oauth: disabled: false name: oauth namespace: openshift-config - project: hub + argoProject: hub path: charts/all/oauth groupsync: disabled: false name: groupsync namespace: group-sync-operator - project: hub + argoProject: hub path: charts/all/groupsync + kubelet-config: + disabled: false + name: kubelet-config + namespace: openshift-machine-config-operator + argoProject: hub + path: charts/all/kubelet-config + # Apply after other hub Applications (default sync-wave 0). KubeletConfig triggers + # MCO rollouts that can disrupt pods (e.g. Vault) if they run concurrently. + annotations: + argocd.argoproj.io/sync-wave: "100" + ignoreDifferences: + - group: machineconfiguration.openshift.io + kind: KubeletConfig + jqPathExpressions: + - .metadata.annotations + imperative: # NOTE: We *must* use lists and not hashes. As hashes lose ordering once parsed by helm # The default schedule is every 10 minutes: imperative.schedule