From 0574b8d98c715384539f107be2698a7a68366dec Mon Sep 17 00:00:00 2001 From: day0hero Date: Wed, 15 Apr 2026 15:26:29 +0100 Subject: [PATCH 1/2] ESO and maxPodSize changed in the pattern - OpenShift ESO support is now part of the pattern. The applications have been updatedate to use the new apiVersion. - To support the large number of pods being deployed per hosted cluster we updated the maxpods count to 500. this should allow us to utilize more of the compute capacity before triggering the cluster autoscaler. - Update the MCE to 2.11 - and updated the feature list to fix out of sync errors. --- .gitignore | 1 + .../templates/eso-github-groupsync.yaml | 2 +- .../templates/eso-hypershift-aws.yaml | 2 +- charts/all/hypershift/values.yaml | 2 + charts/all/kubelet-config/Chart.yaml | 9 +++ .../templates/kubelet-config.yaml | 10 ++++ charts/all/kubelet-config/values.yaml | 6 ++ .../all/oauth/templates/eso-github-oauth.yaml | 2 +- values-global.yaml | 2 +- values-hypershift.yaml | 20 ++++--- values-prod.yaml | 56 ++++++++++++++----- 11 files changed, 87 insertions(+), 25 deletions(-) create mode 100644 charts/all/kubelet-config/Chart.yaml create mode 100644 charts/all/kubelet-config/templates/kubelet-config.yaml create mode 100644 charts/all/kubelet-config/values.yaml diff --git a/.gitignore b/.gitignore index 3f3db957..01d23719 100644 --- a/.gitignore +++ b/.gitignore @@ -7,3 +7,4 @@ pattern-vault.init vault.init super-linter.log common/pattern-vault.init +.cursor/* diff --git a/charts/all/groupsync/templates/eso-github-groupsync.yaml b/charts/all/groupsync/templates/eso-github-groupsync.yaml index efc8267b..5a94440c 100644 --- a/charts/all/groupsync/templates/eso-github-groupsync.yaml +++ b/charts/all/groupsync/templates/eso-github-groupsync.yaml @@ -4,7 +4,7 @@ {{- if not ($gs.disabled | default false) }} {{- $vaultKey := .Values.global.groupsync.githubAppKeyPath | default .Values.githubAppKeyPath | default "secret/data/hub/githubGroupSync" }} --- -apiVersion: "external-secrets.io/v1beta1" +apiVersion: "external-secrets.io/v1" kind: ExternalSecret metadata: name: {{ .Values.global.groupsync.secretName }} diff --git a/charts/all/hypershift/templates/eso-hypershift-aws.yaml b/charts/all/hypershift/templates/eso-hypershift-aws.yaml index fbcaecd3..2ad37b65 100644 --- a/charts/all/hypershift/templates/eso-hypershift-aws.yaml +++ b/charts/all/hypershift/templates/eso-hypershift-aws.yaml @@ -1,6 +1,6 @@ {{- if .Values.global.useExternalSecrets }} --- -apiVersion: "external-secrets.io/v1beta1" +apiVersion: "external-secrets.io/v1" kind: ExternalSecret metadata: name: hypershift-eso-aws diff --git a/charts/all/hypershift/values.yaml b/charts/all/hypershift/values.yaml index 360c901a..fb2fceb9 100644 --- a/charts/all/hypershift/values.yaml +++ b/charts/all/hypershift/values.yaml @@ -122,3 +122,5 @@ mce: enabled: "false" - name: cluster-api-provider-openshift-assisted enabled: "false" + - name: cluster-api-provider-azure-preview + enabled: "false" diff --git a/charts/all/kubelet-config/Chart.yaml b/charts/all/kubelet-config/Chart.yaml new file mode 100644 index 00000000..08b7cee5 --- /dev/null +++ b/charts/all/kubelet-config/Chart.yaml @@ -0,0 +1,9 @@ +apiVersion: v2 +name: kubelet-config +description: A Helm chart for configuring KubeletConfig to adjust maxPods + +type: application + +version: 0.1.0 + +appVersion: "0.1.0" diff --git a/charts/all/kubelet-config/templates/kubelet-config.yaml b/charts/all/kubelet-config/templates/kubelet-config.yaml new file mode 100644 index 00000000..2e3fa156 --- /dev/null +++ b/charts/all/kubelet-config/templates/kubelet-config.yaml @@ -0,0 +1,10 @@ +apiVersion: machineconfiguration.openshift.io/v1 +kind: KubeletConfig +metadata: + name: set-max-pods +spec: + machineConfigPoolSelector: + matchLabels: + pools.operator.machineconfiguration.openshift.io/{{ .Values.kubelet.targetPool }}: "" + kubeletConfig: + maxPods: {{ .Values.kubelet.maxPods }} diff --git a/charts/all/kubelet-config/values.yaml b/charts/all/kubelet-config/values.yaml new file mode 100644 index 00000000..e042edd7 --- /dev/null +++ b/charts/all/kubelet-config/values.yaml @@ -0,0 +1,6 @@ +# KubeletConfig settings +kubelet: + maxPods: 500 + # MachineConfigPool role segment: "worker" for normal clusters; "master" for compact/3-node + # hubs where all nodes are in the master pool (worker MCP has no machines). + targetPool: worker diff --git a/charts/all/oauth/templates/eso-github-oauth.yaml b/charts/all/oauth/templates/eso-github-oauth.yaml index fe2a751b..24698a86 100644 --- a/charts/all/oauth/templates/eso-github-oauth.yaml +++ b/charts/all/oauth/templates/eso-github-oauth.yaml @@ -1,5 +1,5 @@ --- -apiVersion: "external-secrets.io/v1beta1" +apiVersion: "external-secrets.io/v1" kind: ExternalSecret metadata: name: {{ .Values.global.oauth.secretName }} diff --git a/values-global.yaml b/values-global.yaml index 1622259e..2899ceb3 100644 --- a/values-global.yaml +++ b/values-global.yaml @@ -8,7 +8,7 @@ global: installPlanApproval: Automatic main: - clusterGroupName: staging + clusterGroupName: prod multiSourceConfig: enabled: true clusterGroupChartVersion: 0.9.* diff --git a/values-hypershift.yaml b/values-hypershift.yaml index 0d7cf2ce..869922f8 100644 --- a/values-hypershift.yaml +++ b/values-hypershift.yaml @@ -5,16 +5,15 @@ global: createBucket: true oidc: # OIDC bucket information: provide region and bucketName - region: '' - bucketName: '' + region: "s3-bucket-region" + bucketName: "s3-bucket-name" # GitHub organization(s) — shared by oauth and group-sync github: orgs: - - name: 'github-org-name' + - name: 'gh-org-name' # Teams: Group Sync uses them for OpenShift groups. OAuth uses org/team slugs # for login when this list is non-empty; otherwise OAuth allows the whole org. - # Team names are case-sensitive and must match GitHub exactly, including hyphens. For example: Engineering, not engineering teams: [] # register a GitHub oAuth application: https://github.com/settings/applications/new @@ -25,7 +24,7 @@ global: type: GitHub secretName: ocp-github-oauth github: - clientID: 'github-app-client-id' + clientID: 'gh-oauth-client-id' # Group Sync Operator — syncs GitHub teams to OpenShift groups. # Vault secret githubGroupSync: `appId` = GitHub App ID (settings/apps → About), not installation ID; @@ -36,6 +35,12 @@ global: credentialsSecretName: github-group-sync url: https://api.github.com/ +# KubeletConfig (charts/all/kubelet-config). +# If cluster is compact 3-node hub: all nodes are on the master +# MachineConfigPool; the worker pool is empty, so targetPool must be master. +kubelet: + targetPool: worker + # Cluster Autoscaling Configuration # Enable autoscaling to automatically adjust cluster size based on workload demands autoscaling: @@ -74,8 +79,7 @@ autoscaling: # Set rbac.create to false if you want to skip creation of role/rolebinding. rbac: - create: false + create: true # Provide a list of users and/or groups to add to the clusterrolebinding -# Group and user names must match GitHub exactly, including hyphens. For example: Engineering, not engineering users: [] - groups: [] + groups: [] \ No newline at end of file diff --git a/values-prod.yaml b/values-prod.yaml index 6bba367a..57fb8ee9 100644 --- a/values-prod.yaml +++ b/values-prod.yaml @@ -3,14 +3,26 @@ clusterGroup: isHubCluster: true sharedValueFiles: - /values-hypershift.yaml + - '/overrides/values-{{ $.Values.global.clusterPlatform }}.yaml' + - '/overrides/values-{{ $.Values.global.clusterVersion }}-{{ $.Values.clusterGroup.name }}.yaml' namespaces: - - vault - - golang-external-secrets - - multicluster-engine - - group-sync-operator + vault: + multicluster-engine: + group-sync-operator: + golang-external-secrets: + disabled: true + external-secrets-operator: + operatorGroup: true + targetNamespaces: [] + external-secrets: subscriptions: + eso: + name: openshift-external-secrets-operator + namespace: external-secrets-operator + channel: stable-v1 + mce: name: multicluster-engine namespace: multicluster-engine @@ -22,7 +34,7 @@ clusterGroup: source: community-operators channel: alpha - projects: + argoProjects: - hub - hypershift @@ -35,33 +47,51 @@ clusterGroup: chartVersion: 0.1.* golang-external-secrets: - name: golang-external-secrets - namespace: golang-external-secrets - project: hub - chart: golang-external-secrets - chartVersion: 0.1.* + disabled: true + openshift-external-secrets: + name: openshift-external-secrets + namespace: external-secrets + argoProject: hub + chart: openshift-external-secrets + chartVersion: 0.0.* hypershift: disabled: false name: hypershift namespace: multicluster-engine - project: hypershift + argoProject: hypershift path: charts/all/hypershift oauth: disabled: false name: oauth namespace: openshift-config - project: hub + argoProject: hub path: charts/all/oauth groupsync: disabled: false name: groupsync namespace: group-sync-operator - project: hub + argoProject: hub path: charts/all/groupsync + kubelet-config: + disabled: false + name: kubelet-config + namespace: openshift-machine-config-operator + argoProject: hub + path: charts/all/kubelet-config + # Apply after other hub Applications (default sync-wave 0). KubeletConfig triggers + # MCO rollouts that can disrupt pods (e.g. Vault) if they run concurrently. + annotations: + argocd.argoproj.io/sync-wave: "100" + ignoreDifferences: + - group: machineconfiguration.openshift.io + kind: KubeletConfig + jqPathExpressions: + - .metadata.annotations + imperative: # NOTE: We *must* use lists and not hashes. As hashes lose ordering once parsed by helm # The default schedule is every 10 minutes: imperative.schedule From e030a96015608d04e9bd0f2639452aee2d05d1fd Mon Sep 17 00:00:00 2001 From: day0hero Date: Wed, 15 Apr 2026 15:34:38 +0100 Subject: [PATCH 2/2] add pattern-metadata for UI --- pattern-metadata.yaml | 49 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 pattern-metadata.yaml diff --git a/pattern-metadata.yaml b/pattern-metadata.yaml new file mode 100644 index 00000000..8e7c94f0 --- /dev/null +++ b/pattern-metadata.yaml @@ -0,0 +1,49 @@ +# This goal of this metadata is mainly used as a source of truth for +# documentation and qe +metadata_version: "1.0" +name: hypershift +description: An infrastructure pattern for deploying and managing OpenShift clusters using HyperShift. +pattern_version: "1.0" +display_name: HyperShift +repo_url: https://github.com/validatedpatterns-sandbox/hypershift +docs_repo_url: https://github.com/validatedpatterns/docs +issues_url: https://github.com/validatedpatterns-sandbox/hypershift/issues +docs_url: https://validatedpatterns.io/patterns/hypershift/ +ci_url: https://validatedpatterns.io/ci/?pattern=hypershift +# can be sandbox, tested or maintained +tier: tested +owners: day0hero +requirements: + hub: # Main cluster + compute: + platform: + gcp: + replicas: 3 + type: n1-standard-8 + azure: + replicas: 3 + type: Standard_D8s_v3 + aws: + replicas: 3 + type: m5.4xlarge + controlPlane: + platform: + gcp: + replicas: 3 + type: n1-standard-4 + azure: + replicas: 3 + type: Standard_D4s_v3 + aws: + replicas: 3 + type: m5.2xlarge + +# Loosely defined extra features like hypershift support, non-openshift +# kubernetes support, spoke support +extra_features: + hypershift_support: true + spoke_support: false + +external_requirements: +# external quay, s3 bucket, agof tokens to access paywalled material, manifests, rag-llm hw (only selected regions) +s3 bucket: true \ No newline at end of file