feature/kubelet maxpodsize pr

.gitignore

@@ -7,3 +7,4 @@ pattern-vault.init
 vault.init
 super-linter.log
 common/pattern-vault.init
+.cursor/*

charts/all/groupsync/templates/eso-github-groupsync.yaml

@@ -4,7 +4,7 @@
 {{- if not ($gs.disabled | default false) }}
 {{- $vaultKey := .Values.global.groupsync.githubAppKeyPath | default .Values.githubAppKeyPath | default "secret/data/hub/githubGroupSync" }}
 ---
-apiVersion: "external-secrets.io/v1beta1"
+apiVersion: "external-secrets.io/v1"
 kind: ExternalSecret
 metadata:
   name: {{ .Values.global.groupsync.secretName }}

charts/all/hypershift/templates/eso-hypershift-aws.yaml

@@ -1,6 +1,6 @@
 {{- if .Values.global.useExternalSecrets }}
 ---
-apiVersion: "external-secrets.io/v1beta1"
+apiVersion: "external-secrets.io/v1"
 kind: ExternalSecret
 metadata:
   name: hypershift-eso-aws

charts/all/hypershift/values.yaml

@@ -122,3 +122,5 @@ mce:
       enabled: "false"
     - name: cluster-api-provider-openshift-assisted
       enabled: "false"
+    - name: cluster-api-provider-azure-preview
+      enabled: "false"

charts/all/kubelet-config/Chart.yaml

@@ -0,0 +1,9 @@
+apiVersion: v2
+name: kubelet-config
+description: A Helm chart for configuring KubeletConfig to adjust maxPods
+
+type: application
+
+version: 0.1.0
+
+appVersion: "0.1.0"

charts/all/kubelet-config/templates/kubelet-config.yaml

@@ -0,0 +1,10 @@
+apiVersion: machineconfiguration.openshift.io/v1
+kind: KubeletConfig
+metadata:
+  name: set-max-pods
+spec:
+  machineConfigPoolSelector:
+    matchLabels:
+      pools.operator.machineconfiguration.openshift.io/{{ .Values.kubelet.targetPool }}: ""
+  kubeletConfig:
+    maxPods: {{ .Values.kubelet.maxPods }}

charts/all/kubelet-config/values.yaml

@@ -0,0 +1,6 @@
+# KubeletConfig settings
+kubelet:
+  maxPods: 500
+  # MachineConfigPool role segment: "worker" for normal clusters; "master" for compact/3-node
+  # hubs where all nodes are in the master pool (worker MCP has no machines).
+  targetPool: worker

charts/all/oauth/templates/eso-github-oauth.yaml

@@ -1,5 +1,5 @@
 ---
-apiVersion: "external-secrets.io/v1beta1"
+apiVersion: "external-secrets.io/v1"
 kind: ExternalSecret
 metadata:
   name: {{ .Values.global.oauth.secretName }}

pattern-metadata.yaml

@@ -0,0 +1,49 @@
+# This goal of this metadata is mainly used as a source of truth for
+# documentation and qe
+metadata_version: "1.0"
+name: hypershift
+description: An infrastructure pattern for deploying and managing OpenShift clusters using HyperShift. 
+pattern_version: "1.0"
+display_name: HyperShift
+repo_url: https://github.com/validatedpatterns-sandbox/hypershift
+docs_repo_url: https://github.com/validatedpatterns/docs
+issues_url: https://github.com/validatedpatterns-sandbox/hypershift/issues
+docs_url: https://validatedpatterns.io/patterns/hypershift/
+ci_url: https://validatedpatterns.io/ci/?pattern=hypershift
+# can be sandbox, tested or maintained
+tier: tested
+owners: day0hero
+requirements:
+  hub: # Main cluster
+    compute:
+      platform:
+        gcp:
+          replicas: 3
+          type: n1-standard-8
+        azure:
+          replicas: 3
+          type: Standard_D8s_v3
+        aws:
+          replicas: 3
+          type: m5.4xlarge
+    controlPlane:
+      platform:
+        gcp:
+          replicas: 3
+          type: n1-standard-4
+        azure:
+          replicas: 3
+          type: Standard_D4s_v3
+        aws:
+          replicas: 3
+          type: m5.2xlarge
+
+# Loosely defined extra features like hypershift support, non-openshift
+# kubernetes support, spoke support
+extra_features:
+  hypershift_support: true
+  spoke_support: false
+
+external_requirements:
+# external quay, s3 bucket, agof tokens to access paywalled material, manifests, rag-llm hw (only selected regions)
+s3 bucket: true

values-global.yaml

@@ -8,7 +8,7 @@ global:
     installPlanApproval: Automatic
 
 main:
-  clusterGroupName: staging
+  clusterGroupName: prod
   multiSourceConfig:
     enabled: true
     clusterGroupChartVersion: 0.9.*

values-hypershift.yaml

@@ -5,16 +5,15 @@ global:
     createBucket: true
     oidc:
 # OIDC bucket information: provide region and bucketName
-      region: ''
-      bucketName: ''
+      region: "s3-bucket-region"
+      bucketName: "s3-bucket-name"
 
 # GitHub organization(s) — shared by oauth and group-sync
   github:
     orgs:
-    - name: 'github-org-name'
+    - name: 'gh-org-name'
       # Teams: Group Sync uses them for OpenShift groups. OAuth uses org/team slugs
       # for login when this list is non-empty; otherwise OAuth allows the whole org.
-      # Team names are case-sensitive and must match GitHub exactly, including hyphens. For example: Engineering, not engineering
       teams: []
 
 # register a GitHub oAuth application: https://github.com/settings/applications/new
@@ -25,7 +24,7 @@ global:
     type: GitHub
     secretName: ocp-github-oauth
     github:
-      clientID: 'github-app-client-id'
+      clientID: 'gh-oauth-client-id'
 
 # Group Sync Operator — syncs GitHub teams to OpenShift groups.
 # Vault secret githubGroupSync: `appId` = GitHub App ID (settings/apps → About), not installation ID;
@@ -36,6 +35,12 @@ global:
       credentialsSecretName: github-group-sync
       url: https://api.github.com/
 
+# KubeletConfig (charts/all/kubelet-config).
+# If cluster is compact 3-node hub: all nodes are on the master
+# MachineConfigPool; the worker pool is empty, so targetPool must be master.
+kubelet:
+  targetPool: worker
+
 # Cluster Autoscaling Configuration
 # Enable autoscaling to automatically adjust cluster size based on workload demands
 autoscaling:
@@ -74,8 +79,7 @@ autoscaling:
 
 # Set rbac.create to false if you want to skip creation of role/rolebinding.
 rbac:
-  create: false
+  create: true
 # Provide a list of users and/or groups to add to the clusterrolebinding
-# Group and user names must match GitHub exactly, including hyphens. For example: Engineering, not engineering
   users: []
-  groups: []
+  groups: []

values-prod.yaml

@@ -3,14 +3,26 @@ clusterGroup:
   isHubCluster: true
   sharedValueFiles:
     - /values-hypershift.yaml
+    - '/overrides/values-{{ $.Values.global.clusterPlatform }}.yaml'
+    - '/overrides/values-{{ $.Values.global.clusterVersion }}-{{ $.Values.clusterGroup.name }}.yaml'
 
   namespaces:
-    - vault
-    - golang-external-secrets
-    - multicluster-engine
-    - group-sync-operator
+    vault:
+    multicluster-engine:
+    group-sync-operator:
+    golang-external-secrets:
+      disabled: true
+    external-secrets-operator:
+      operatorGroup: true
+      targetNamespaces: []
+    external-secrets:
 
   subscriptions:
+    eso:
+      name: openshift-external-secrets-operator
+      namespace: external-secrets-operator
+      channel: stable-v1
+
     mce:
       name: multicluster-engine
       namespace: multicluster-engine
@@ -22,7 +34,7 @@ clusterGroup:
       source: community-operators
       channel: alpha
 
-  projects:
+  argoProjects:
     - hub
     - hypershift
 
@@ -35,33 +47,51 @@ clusterGroup:
       chartVersion: 0.1.*
 
     golang-external-secrets:
-      name: golang-external-secrets
-      namespace: golang-external-secrets
-      project: hub
-      chart: golang-external-secrets
-      chartVersion: 0.1.*
+      disabled: true
+    openshift-external-secrets:
+      name: openshift-external-secrets
+      namespace: external-secrets
+      argoProject: hub
+      chart: openshift-external-secrets
+      chartVersion: 0.0.*
 
     hypershift:
       disabled: false
       name: hypershift
       namespace: multicluster-engine
-      project: hypershift
+      argoProject: hypershift
       path: charts/all/hypershift
 
     oauth:
       disabled: false
       name: oauth
       namespace: openshift-config
-      project: hub
+      argoProject: hub
       path: charts/all/oauth
 
     groupsync:
       disabled: false
       name: groupsync
       namespace: group-sync-operator
-      project: hub
+      argoProject: hub
       path: charts/all/groupsync
 
+    kubelet-config:
+      disabled: false
+      name: kubelet-config
+      namespace: openshift-machine-config-operator
+      argoProject: hub
+      path: charts/all/kubelet-config
+      # Apply after other hub Applications (default sync-wave 0). KubeletConfig triggers
+      # MCO rollouts that can disrupt pods (e.g. Vault) if they run concurrently.
+      annotations:
+        argocd.argoproj.io/sync-wave: "100"
+      ignoreDifferences:
+        - group: machineconfiguration.openshift.io
+          kind: KubeletConfig
+          jqPathExpressions:
+            - .metadata.annotations
+
   imperative:
     # NOTE: We *must* use lists and not hashes. As hashes lose ordering once parsed by helm
     # The default schedule is every 10 minutes: imperative.schedule