diff --git a/.secrets.baseline b/.secrets.baseline index e109c65de..e9c863bd3 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -3,7 +3,7 @@ "files": "vendor/*|go.sum|^.secrets.baseline$", "lines": null }, - "generated_at": "2022-05-16T13:33:33Z", + "generated_at": "2023-01-18T16:07:35Z", "plugins_used": [ { "name": "AWSKeyDetector" @@ -128,7 +128,7 @@ "hashed_secret": "caa006e5e030a94b2be4abf9d333f029df7fa5fc", "is_secret": false, "is_verified": false, - "line_number": 29, + "line_number": 228, "type": "Base64 High Entropy String", "verified_result": null } @@ -138,7 +138,7 @@ "hashed_secret": "733c83df12b5f09020cfc0ad9411ba17e7d1a093", "is_secret": false, "is_verified": false, - "line_number": 3198, + "line_number": 3617, "type": "Secret Keyword", "verified_result": null }, @@ -146,7 +146,7 @@ "hashed_secret": "d2e2ab0f407e4ee3cf2ab87d61c31b25a74085e5", "is_secret": false, "is_verified": false, - "line_number": 3861, + "line_number": 4280, "type": "Secret Keyword", "verified_result": null } diff --git a/assets/route-controller-manager/config.yaml b/assets/route-controller-manager/config.yaml new file mode 100644 index 000000000..9a010f472 --- /dev/null +++ b/assets/route-controller-manager/config.yaml @@ -0,0 +1,27 @@ +apiVersion: openshiftcontrolplane.config.openshift.io/v1 +kind: OpenShiftControllerManagerConfig +build: + buildDefaults: + resources: {} + imageTemplateFormat: + format: {{ imageFor "docker-builder" }} +deployer: + imageTemplateFormat: + format: {{ imageFor "deployer" }} +dockerPullSecret: + internalRegistryHostname: image-registry.openshift-image-registry.svc:5000 +ingress: + ingressIPNetworkCIDR: '' +kubeClientConfig: + kubeConfig: /etc/kubernetes/secret/kubeconfig +servingInfo: + certFile: /etc/kubernetes/secret/server.crt + keyFile: /etc/kubernetes/secret/server.key + clientCA: /etc/kubernetes/config/serving-ca.crt + cipherSuites: + - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 + - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 + - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 + - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 diff --git a/assets/route-controller-manager/route-controller-manager-config-configmap.yaml b/assets/route-controller-manager/route-controller-manager-config-configmap.yaml new file mode 100644 index 000000000..715387d8b --- /dev/null +++ b/assets/route-controller-manager/route-controller-manager-config-configmap.yaml @@ -0,0 +1,7 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: route-controller-manager-config +data: + config.yaml: |- +{{ include "route-controller-manager/config.yaml" 4 }} diff --git a/assets/route-controller-manager/route-controller-manager-deployment.yaml b/assets/route-controller-manager/route-controller-manager-deployment.yaml new file mode 100644 index 000000000..74b0ef3e9 --- /dev/null +++ b/assets/route-controller-manager/route-controller-manager-deployment.yaml @@ -0,0 +1,113 @@ +kind: Deployment +apiVersion: apps/v1 +metadata: + name: route-controller-manager +spec: + replicas: {{ .Replicas }} + strategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 0 + maxUnavailable: 1 + selector: + matchLabels: + app: route-controller-manager + minReadySeconds: 30 + template: + metadata: + labels: + app: route-controller-manager + clusterID: "{{ .ClusterID }}" +{{ if .RestartDate }} + annotations: + openshift.io/restartedAt: "{{ .RestartDate }}" +{{ end }} + spec: + tolerations: + - key: "dedicated" + operator: "Equal" + value: "master-{{ .ClusterID }}" + effect: NoSchedule + - key: "multi-az-worker" + operator: "Equal" + value: "true" + effect: NoSchedule + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + preference: + matchExpressions: + - key: dedicated + operator: In + values: + - master-{{ .ClusterID }} + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: clusterID + operator: In + values: ["{{ .ClusterID }}"] + topologyKey: "kubernetes.io/hostname" + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: ["route-controller-manager"] + topologyKey: "kubernetes.io/hostname" + - labelSelector: + matchExpressions: + - key: app + operator: In + values: ["route-controller-manager"] + topologyKey: "topology.kubernetes.io/zone" + automountServiceAccountToken: false +{{ if .MasterPriorityClass }} + priorityClassName: {{ .MasterPriorityClass }} +{{ end }} + terminationGracePeriodSeconds: 90 + containers: + - name: route-controller-manager +{{- if .RouteControllerManagerSecurityContext }} +{{- $securityContext := .RouteControllerManagerSecurityContext }} + securityContext: + runAsUser: {{ $securityContext.RunAsUser }} +{{- end }} + image: {{ imageFor "route-controller-manager" }} + command: + - "route-controller-manager" + args: + - "start" + - "--config=/etc/kubernetes/rcmconfig/config.yaml" +{{ if .RouteControllerManagerResources }} + resources:{{ range .RouteControllerManagerResources }}{{ range .ResourceRequest }} + requests: {{ if .CPU }} + cpu: {{ .CPU }}{{ end }}{{ if .Memory }} + memory: {{ .Memory }}{{ end }}{{ end }}{{ range .ResourceLimit }} + limits: {{ if .CPU }} + cpu: {{ .CPU }}{{ end }}{{ if .Memory }} + memory: {{ .Memory }}{{ end }}{{ end }}{{ end }} +{{ end }} + volumeMounts: + - mountPath: /etc/kubernetes/secret + name: secret + - mountPath: /etc/kubernetes/rcmconfig + name: rcmconfig + - mountPath: /etc/kubernetes/config + name: config + volumes: + - secret: + secretName: route-controller-manager + defaultMode: 0640 + name: secret + - configMap: + name: route-controller-manager + name: config + - configMap: + name: route-controller-manager-config + name: rcmconfig diff --git a/cluster.yaml.example b/cluster.yaml.example index b2a478097..920b03770 100644 --- a/cluster.yaml.example +++ b/cluster.yaml.example @@ -69,6 +69,13 @@ openshiftControllerManagerResources: - resourceLimit: - cpu: 200m memory: 200Mi +routeControllerManagerResources: + - resourceRequest: + - cpu: 23m + memory: 78Mi + - resourceLimit: + - cpu: 200m + memory: 200Mi clusterVersionOperatorResources: - resourceRequest: - cpu: 12m @@ -198,6 +205,8 @@ openshiftAPIServerSecurityContext: runAsUser: 1000 openshiftControllerManagerSecurityContext: runAsUser: 1000 +routeControllerManagerSecurityContext: + runAsUser: 1000 clusterPolicyControllerSecurityContext: runAsUser: 1000 oAuthServerSecurityContext: diff --git a/pkg/api/types.go b/pkg/api/types.go index 5f9b3f8bc..2ff50820b 100644 --- a/pkg/api/types.go +++ b/pkg/api/types.go @@ -33,6 +33,7 @@ type ClusterParams struct { RouterServiceType string `json:"routerServiceType"` KubeAPIServerResources []ResourceRequirements `json:"kubeAPIServerResources"` OpenshiftControllerManagerResources []ResourceRequirements `json:"openshiftControllerManagerResources"` + RouteControllerManagerResources []ResourceRequirements `json:"routeControllerManagerResources"` ClusterVersionOperatorResources []ResourceRequirements `json:"clusterVersionOperatorResources"` KubeControllerManagerResources []ResourceRequirements `json:"kubeControllerManagerResources"` OpenshiftAPIServerResources []ResourceRequirements `json:"openshiftAPIServerResources"` @@ -67,6 +68,7 @@ type ClusterParams struct { OpenshiftAPIServerSecurityContext *SecurityContext `json:"openshiftAPIServerSecurityContext"` OauthAPIServerSecurityContext *SecurityContext `json:"oauthAPIServerSecurityContext"` OpenshiftControllerManagerSecurityContext *SecurityContext `json:"openshiftControllerManagerSecurityContext"` + RouteControllerManagerSecurityContext *SecurityContext `json:"routeControllerManagerSecurityContext"` PortierisSecurityContext *SecurityContext `json:"portierisSecurityContext"` ClusterVersionOperatorSecurityContext *SecurityContext `json:"clusterVersionOperatorSecurityContext"` KMSSecurityContext *SecurityContext `json:"kmsSecurityContext"` diff --git a/pkg/assets/bindata.go b/pkg/assets/bindata.go index b356bf315..0118f9902 100644 --- a/pkg/assets/bindata.go +++ b/pkg/assets/bindata.go @@ -84,6 +84,9 @@ // assets/roks-metrics/roks-metrics-service.yaml // assets/roks-metrics/roks-metrics-serviceaccount.yaml // assets/roks-metrics/roks-metrics-servicemonitor.yaml +// assets/route-controller-manager/config.yaml +// assets/route-controller-manager/route-controller-manager-config-configmap.yaml +// assets/route-controller-manager/route-controller-manager-deployment.yaml // assets/user-manifests-bootstrapper/user-manifest-template.yaml // assets/user-manifests-bootstrapper/user-manifests-bootstrapper-pod.yaml // DO NOT EDIT! @@ -5950,6 +5953,204 @@ func roksMetricsRoksMetricsServicemonitorYaml() (*asset, error) { return a, nil } +var _routeControllerManagerConfigYaml = []byte(`apiVersion: openshiftcontrolplane.config.openshift.io/v1 +kind: OpenShiftControllerManagerConfig +build: + buildDefaults: + resources: {} + imageTemplateFormat: + format: {{ imageFor "docker-builder" }} +deployer: + imageTemplateFormat: + format: {{ imageFor "deployer" }} +dockerPullSecret: + internalRegistryHostname: image-registry.openshift-image-registry.svc:5000 +ingress: + ingressIPNetworkCIDR: '' +kubeClientConfig: + kubeConfig: /etc/kubernetes/secret/kubeconfig +servingInfo: + certFile: /etc/kubernetes/secret/server.crt + keyFile: /etc/kubernetes/secret/server.key + clientCA: /etc/kubernetes/config/serving-ca.crt + cipherSuites: + - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 + - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 + - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 + - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 +`) + +func routeControllerManagerConfigYamlBytes() ([]byte, error) { + return _routeControllerManagerConfigYaml, nil +} + +func routeControllerManagerConfigYaml() (*asset, error) { + bytes, err := routeControllerManagerConfigYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "route-controller-manager/config.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + +var _routeControllerManagerRouteControllerManagerConfigConfigmapYaml = []byte(`kind: ConfigMap +apiVersion: v1 +metadata: + name: route-controller-manager-config +data: + config.yaml: |- +{{ include "route-controller-manager/config.yaml" 4 }} +`) + +func routeControllerManagerRouteControllerManagerConfigConfigmapYamlBytes() ([]byte, error) { + return _routeControllerManagerRouteControllerManagerConfigConfigmapYaml, nil +} + +func routeControllerManagerRouteControllerManagerConfigConfigmapYaml() (*asset, error) { + bytes, err := routeControllerManagerRouteControllerManagerConfigConfigmapYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "route-controller-manager/route-controller-manager-config-configmap.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + +var _routeControllerManagerRouteControllerManagerDeploymentYaml = []byte(`kind: Deployment +apiVersion: apps/v1 +metadata: + name: route-controller-manager +spec: + replicas: {{ .Replicas }} + strategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 0 + maxUnavailable: 1 + selector: + matchLabels: + app: route-controller-manager + minReadySeconds: 30 + template: + metadata: + labels: + app: route-controller-manager + clusterID: "{{ .ClusterID }}" +{{ if .RestartDate }} + annotations: + openshift.io/restartedAt: "{{ .RestartDate }}" +{{ end }} + spec: + tolerations: + - key: "dedicated" + operator: "Equal" + value: "master-{{ .ClusterID }}" + effect: NoSchedule + - key: "multi-az-worker" + operator: "Equal" + value: "true" + effect: NoSchedule + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + preference: + matchExpressions: + - key: dedicated + operator: In + values: + - master-{{ .ClusterID }} + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: clusterID + operator: In + values: ["{{ .ClusterID }}"] + topologyKey: "kubernetes.io/hostname" + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: ["route-controller-manager"] + topologyKey: "kubernetes.io/hostname" + - labelSelector: + matchExpressions: + - key: app + operator: In + values: ["route-controller-manager"] + topologyKey: "topology.kubernetes.io/zone" + automountServiceAccountToken: false +{{ if .MasterPriorityClass }} + priorityClassName: {{ .MasterPriorityClass }} +{{ end }} + terminationGracePeriodSeconds: 90 + containers: + - name: route-controller-manager +{{- if .RouteControllerManagerSecurityContext }} +{{- $securityContext := .RouteControllerManagerSecurityContext }} + securityContext: + runAsUser: {{ $securityContext.RunAsUser }} +{{- end }} + image: {{ imageFor "route-controller-manager" }} + command: + - "route-controller-manager" + args: + - "start" + - "--config=/etc/kubernetes/rcmconfig/config.yaml" +{{ if .RouteControllerManagerResources }} + resources:{{ range .RouteControllerManagerResources }}{{ range .ResourceRequest }} + requests: {{ if .CPU }} + cpu: {{ .CPU }}{{ end }}{{ if .Memory }} + memory: {{ .Memory }}{{ end }}{{ end }}{{ range .ResourceLimit }} + limits: {{ if .CPU }} + cpu: {{ .CPU }}{{ end }}{{ if .Memory }} + memory: {{ .Memory }}{{ end }}{{ end }}{{ end }} +{{ end }} + volumeMounts: + - mountPath: /etc/kubernetes/secret + name: secret + - mountPath: /etc/kubernetes/rcmconfig + name: rcmconfig + - mountPath: /etc/kubernetes/config + name: config + volumes: + - secret: + secretName: route-controller-manager + defaultMode: 0640 + name: secret + - configMap: + name: route-controller-manager + name: config + - configMap: + name: route-controller-manager-config + name: rcmconfig +`) + +func routeControllerManagerRouteControllerManagerDeploymentYamlBytes() ([]byte, error) { + return _routeControllerManagerRouteControllerManagerDeploymentYaml, nil +} + +func routeControllerManagerRouteControllerManagerDeploymentYaml() (*asset, error) { + bytes, err := routeControllerManagerRouteControllerManagerDeploymentYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "route-controller-manager/route-controller-manager-deployment.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + var _userManifestsBootstrapperUserManifestTemplateYaml = []byte(`kind: ConfigMap apiVersion: v1 metadata: @@ -6242,6 +6443,9 @@ var _bindata = map[string]func() (*asset, error){ "roks-metrics/roks-metrics-service.yaml": roksMetricsRoksMetricsServiceYaml, "roks-metrics/roks-metrics-serviceaccount.yaml": roksMetricsRoksMetricsServiceaccountYaml, "roks-metrics/roks-metrics-servicemonitor.yaml": roksMetricsRoksMetricsServicemonitorYaml, + "route-controller-manager/config.yaml": routeControllerManagerConfigYaml, + "route-controller-manager/route-controller-manager-config-configmap.yaml": routeControllerManagerRouteControllerManagerConfigConfigmapYaml, + "route-controller-manager/route-controller-manager-deployment.yaml": routeControllerManagerRouteControllerManagerDeploymentYaml, "user-manifests-bootstrapper/user-manifest-template.yaml": userManifestsBootstrapperUserManifestTemplateYaml, "user-manifests-bootstrapper/user-manifests-bootstrapper-pod.yaml": userManifestsBootstrapperUserManifestsBootstrapperPodYaml, } @@ -6397,6 +6601,11 @@ var _bintree = &bintree{nil, map[string]*bintree{ "roks-metrics-serviceaccount.yaml": {roksMetricsRoksMetricsServiceaccountYaml, map[string]*bintree{}}, "roks-metrics-servicemonitor.yaml": {roksMetricsRoksMetricsServicemonitorYaml, map[string]*bintree{}}, }}, + "route-controller-manager": {nil, map[string]*bintree{ + "config.yaml": {routeControllerManagerConfigYaml, map[string]*bintree{}}, + "route-controller-manager-config-configmap.yaml": {routeControllerManagerRouteControllerManagerConfigConfigmapYaml, map[string]*bintree{}}, + "route-controller-manager-deployment.yaml": {routeControllerManagerRouteControllerManagerDeploymentYaml, map[string]*bintree{}}, + }}, "user-manifests-bootstrapper": {nil, map[string]*bintree{ "user-manifest-template.yaml": {userManifestsBootstrapperUserManifestTemplateYaml, map[string]*bintree{}}, "user-manifests-bootstrapper-pod.yaml": {userManifestsBootstrapperUserManifestsBootstrapperPodYaml, map[string]*bintree{}}, diff --git a/pkg/render/manifests.go b/pkg/render/manifests.go index df17bc90a..0f2a30caf 100644 --- a/pkg/render/manifests.go +++ b/pkg/render/manifests.go @@ -58,6 +58,7 @@ func (c *clusterManifestContext) setupManifests(externalOauth, includeRegistry, c.openshiftAPIServer() c.oauthAPIServer() c.openshiftControllerManager() + c.routeControllerManager() if externalOauth { c.oauthOpenshiftServer() } @@ -199,6 +200,13 @@ func (c *clusterManifestContext) openshiftControllerManager() { ) } +func (c *clusterManifestContext) routeControllerManager() { + c.addManifestFiles( + "route-controller-manager/route-controller-manager-deployment.yaml", + "route-controller-manager/route-controller-manager-config-configmap.yaml", + ) +} + func (c *clusterManifestContext) controlPlaneOperator() { c.addManifestFiles( "control-plane-operator/cp-operator-deployment.yaml",