From 208ea97dbd6b62ad838fec9af561b805b6fc4bd7 Mon Sep 17 00:00:00 2001 From: Gus Parvin Date: Fri, 10 May 2024 10:05:32 -0400 Subject: [PATCH] Storage class used with OPP on VMware environment was not correct The OPP policy set needs to be adjusted when running on vmware since a different storageclass must be used. ODF install is failing without these changes and recomendations from ODF are being implemented so best practices will be followed for this infrastructure setup. Signed-off-by: Gus Parvin --- .../{thanos-secret.yaml => operator.yaml} | 32 +++++++ .../policy-ocm-console.yaml | 11 --- .../policy-ocm-observability.yaml | 10 --- .../policy-ocm-pull-secret.yaml | 8 -- .../input-acm-observability/storage.yaml | 10 +++ .../input-odf/policy-odf-cluster.yaml | 89 +++++++++++++++++++ .../input-odf/policy-odf-status.yaml | 8 -- .../openshift-plus/input-odf/policy-odf.yaml | 54 ----------- .../openshift-plus/policyGenerator.yaml | 23 ++++- 9 files changed, 152 insertions(+), 93 deletions(-) rename policygenerator/policy-sets/stable/openshift-plus/input-acm-observability/{thanos-secret.yaml => operator.yaml} (53%) delete mode 100644 policygenerator/policy-sets/stable/openshift-plus/input-acm-observability/policy-ocm-console.yaml delete mode 100644 policygenerator/policy-sets/stable/openshift-plus/input-acm-observability/policy-ocm-observability.yaml delete mode 100644 policygenerator/policy-sets/stable/openshift-plus/input-acm-observability/policy-ocm-pull-secret.yaml create mode 100644 policygenerator/policy-sets/stable/openshift-plus/input-acm-observability/storage.yaml create mode 100644 policygenerator/policy-sets/stable/openshift-plus/input-odf/policy-odf-cluster.yaml diff --git a/policygenerator/policy-sets/stable/openshift-plus/input-acm-observability/thanos-secret.yaml b/policygenerator/policy-sets/stable/openshift-plus/input-acm-observability/operator.yaml similarity index 53% rename from policygenerator/policy-sets/stable/openshift-plus/input-acm-observability/thanos-secret.yaml rename to policygenerator/policy-sets/stable/openshift-plus/input-acm-observability/operator.yaml index c8e18fc3a..d9e535d82 100644 --- a/policygenerator/policy-sets/stable/openshift-plus/input-acm-observability/thanos-secret.yaml +++ b/policygenerator/policy-sets/stable/openshift-plus/input-acm-observability/operator.yaml @@ -35,3 +35,35 @@ spec: ($awsAccess.data.AWS_ACCESS_KEY_ID | base64dec) ($awsAccess.data.AWS_SECRET_ACCESS_KEY | base64dec) ) | base64enc }} +--- +apiVersion: v1 +data: + .dockerconfigjson: '{{- if eq (lookup "v1" "Secret" "open-cluster-management" "multiclusterhub-operator-pull-secret").kind "Secret" -}} {{- fromSecret "open-cluster-management" "multiclusterhub-operator-pull-secret" ".dockerconfigjson" -}} {{- else -}} {{- fromSecret "openshift-config" "pull-secret" ".dockerconfigjson" -}} {{- end -}}' +kind: Secret +metadata: + name: multiclusterhub-operator-pull-secret + namespace: open-cluster-management-observability +type: kubernetes.io/dockerconfigjson +--- +apiVersion: observability.open-cluster-management.io/v1beta2 +kind: MultiClusterObservability +metadata: + name: observability +spec: + observabilityAddonSpec: {} + storageConfig: + metricObjectStorage: + name: thanos-object-storage + key: thanos.yaml +--- +apiVersion: console.openshift.io/v1 +kind: ConsoleLink +metadata: + name: observability +spec: + applicationMenu: + section: Red Hat applications + imageURL: 'https://upload.wikimedia.org/wikipedia/commons/3/3a/OpenShift-LogoType.svg' + href: https://{{ (lookup "route.openshift.io/v1" "Route" "open-cluster-management-observability" "grafana").spec.host }} + location: ApplicationMenu + text: 'Red Hat Advanced Cluster Management Observability' diff --git a/policygenerator/policy-sets/stable/openshift-plus/input-acm-observability/policy-ocm-console.yaml b/policygenerator/policy-sets/stable/openshift-plus/input-acm-observability/policy-ocm-console.yaml deleted file mode 100644 index 34cdf746b..000000000 --- a/policygenerator/policy-sets/stable/openshift-plus/input-acm-observability/policy-ocm-console.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: console.openshift.io/v1 -kind: ConsoleLink -metadata: - name: observability -spec: - applicationMenu: - section: Red Hat applications - imageURL: 'https://upload.wikimedia.org/wikipedia/commons/3/3a/OpenShift-LogoType.svg' - href: https://{{ (lookup "route.openshift.io/v1" "Route" "open-cluster-management-observability" "grafana").spec.host }} - location: ApplicationMenu - text: 'Red Hat Advanced Cluster Management Observability' diff --git a/policygenerator/policy-sets/stable/openshift-plus/input-acm-observability/policy-ocm-observability.yaml b/policygenerator/policy-sets/stable/openshift-plus/input-acm-observability/policy-ocm-observability.yaml deleted file mode 100644 index ec65ee6d6..000000000 --- a/policygenerator/policy-sets/stable/openshift-plus/input-acm-observability/policy-ocm-observability.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: observability.open-cluster-management.io/v1beta2 -kind: MultiClusterObservability -metadata: - name: observability -spec: - observabilityAddonSpec: {} - storageConfig: - metricObjectStorage: - name: thanos-object-storage - key: thanos.yaml diff --git a/policygenerator/policy-sets/stable/openshift-plus/input-acm-observability/policy-ocm-pull-secret.yaml b/policygenerator/policy-sets/stable/openshift-plus/input-acm-observability/policy-ocm-pull-secret.yaml deleted file mode 100644 index b40a9bf5e..000000000 --- a/policygenerator/policy-sets/stable/openshift-plus/input-acm-observability/policy-ocm-pull-secret.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -data: - .dockerconfigjson: '{{- if eq (lookup "v1" "Secret" "open-cluster-management" "multiclusterhub-operator-pull-secret").kind "Secret" -}} {{- fromSecret "open-cluster-management" "multiclusterhub-operator-pull-secret" ".dockerconfigjson" -}} {{- else -}} {{- fromSecret "openshift-config" "pull-secret" ".dockerconfigjson" -}} {{- end -}}' -kind: Secret -metadata: - name: multiclusterhub-operator-pull-secret - namespace: open-cluster-management-observability -type: kubernetes.io/dockerconfigjson diff --git a/policygenerator/policy-sets/stable/openshift-plus/input-acm-observability/storage.yaml b/policygenerator/policy-sets/stable/openshift-plus/input-acm-observability/storage.yaml new file mode 100644 index 000000000..46874241d --- /dev/null +++ b/policygenerator/policy-sets/stable/openshift-plus/input-acm-observability/storage.yaml @@ -0,0 +1,10 @@ +apiVersion: objectbucket.io/v1alpha1 +kind: ObjectBucketClaim +metadata: + name: obc-observability + namespace: openshift-storage +spec: + generateBucketName: obc-observability-bucket + storageClassName: openshift-storage.noobaa.io +status: + phase: Bound diff --git a/policygenerator/policy-sets/stable/openshift-plus/input-odf/policy-odf-cluster.yaml b/policygenerator/policy-sets/stable/openshift-plus/input-odf/policy-odf-cluster.yaml new file mode 100644 index 000000000..1af76c2c3 --- /dev/null +++ b/policygenerator/policy-sets/stable/openshift-plus/input-odf/policy-odf-cluster.yaml @@ -0,0 +1,89 @@ +apiVersion: policy.open-cluster-management.io/v1 +kind: ConfigurationPolicy +metadata: + name: policy-odf-cluster +spec: + remediationAction: enforce + severity: high + object-templates-raw: | + {{- /* create the StorageClass if on VMware */ -}} + {{- if (eq (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type "VSphere") }} + - complianceType: musthave + objectDefinition: + apiVersion: storage.k8s.io/v1 + kind: StorageClass + metadata: + annotations: + storageclass.kubernetes.io/is-default-class: "false" + name: thin-csi-odf + parameters: + StoragePolicyName: "vSAN Default Storage Policy" + provisioner: csi.vsphere.vmware.com + allowVolumeExpansion: true + reclaimPolicy: Delete + volumeBindingMode: WaitForFirstConsumer + {{- end }} + - complianceType: musthave + objectDefinition: + apiVersion: ocs.openshift.io/v1 + kind: StorageCluster + metadata: + annotations: + uninstall.ocs.openshift.io/cleanup-policy: delete + uninstall.ocs.openshift.io/mode: graceful + name: ocs-storagecluster + namespace: openshift-storage + spec: + arbiter: {} + encryption: + kms: {} + externalStorage: {} + managedResources: + cephBlockPools: {} + cephCluster: {} + cephConfig: {} + cephDashboard: {} + cephFilesystems: {} + cephObjectStoreUsers: {} + cephObjectStores: {} + cephToolbox: {} + mirroring: {} + nodeTopologies: {} + resources: + mds: {} + mgr: {} + mon: {} + noobaa-core: {} + noobaa-db: {} + noobaa-endpoint: + limits: + cpu: 1 + memory: 500Mi + requests: + cpu: 1 + memory: 500Mi + rgw: {} + storageDeviceSets: + - config: {} + count: 1 + dataPVCTemplate: + metadata: {} + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 100Gi + {{- if (eq (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type "VSphere") }} + storageClassName: thin-csi-odf + {{- else }} + storageClassName: gp3-csi + {{- end }} + volumeMode: Block + status: {} + name: ocs-deviceset + placement: {} + portable: true + preparePlacement: {} + replica: 3 + resources: {} diff --git a/policygenerator/policy-sets/stable/openshift-plus/input-odf/policy-odf-status.yaml b/policygenerator/policy-sets/stable/openshift-plus/input-odf/policy-odf-status.yaml index 77025b9e2..62286b6f6 100644 --- a/policygenerator/policy-sets/stable/openshift-plus/input-odf/policy-odf-status.yaml +++ b/policygenerator/policy-sets/stable/openshift-plus/input-odf/policy-odf-status.yaml @@ -59,11 +59,3 @@ metadata: namespace: openshift-storage status: phase: Ready ---- -apiVersion: objectbucket.io/v1alpha1 -kind: ObjectBucketClaim -metadata: - name: obc-observability - namespace: openshift-storage -status: - phase: Bound diff --git a/policygenerator/policy-sets/stable/openshift-plus/input-odf/policy-odf.yaml b/policygenerator/policy-sets/stable/openshift-plus/input-odf/policy-odf.yaml index cdb25cbca..d56103e66 100644 --- a/policygenerator/policy-sets/stable/openshift-plus/input-odf/policy-odf.yaml +++ b/policygenerator/policy-sets/stable/openshift-plus/input-odf/policy-odf.yaml @@ -35,60 +35,6 @@ spec: name: ocs-storagecluster namespace: openshift-storage --- -apiVersion: ocs.openshift.io/v1 -kind: StorageCluster -metadata: - annotations: - uninstall.ocs.openshift.io/cleanup-policy: delete - uninstall.ocs.openshift.io/mode: graceful - name: ocs-storagecluster - namespace: openshift-storage -spec: - arbiter: {} - encryption: - kms: {} - externalStorage: {} - managedResources: - cephBlockPools: {} - cephCluster: {} - cephConfig: {} - cephDashboard: {} - cephFilesystems: {} - cephObjectStoreUsers: {} - cephObjectStores: {} - cephToolbox: {} - mirroring: {} - nodeTopologies: {} - storageDeviceSets: - - config: {} - count: 1 - dataPVCTemplate: - metadata: {} - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 100Gi - storageClassName: gp3-csi - volumeMode: Block - status: {} - name: ocs-deviceset-gp3-csi - placement: {} - portable: true - preparePlacement: {} - replica: 3 - resources: {} ---- -apiVersion: objectbucket.io/v1alpha1 -kind: ObjectBucketClaim -metadata: - name: obc-observability - namespace: openshift-storage -spec: - generateBucketName: obc-observability-bucket - storageClassName: openshift-storage.noobaa.io ---- apiVersion: operator.openshift.io/v1 kind: Console metadata: diff --git a/policygenerator/policy-sets/stable/openshift-plus/policyGenerator.yaml b/policygenerator/policy-sets/stable/openshift-plus/policyGenerator.yaml index c1c4b8708..1431e5c77 100644 --- a/policygenerator/policy-sets/stable/openshift-plus/policyGenerator.yaml +++ b/policygenerator/policy-sets/stable/openshift-plus/policyGenerator.yaml @@ -113,7 +113,7 @@ policies: remediationAction: inform # ACS Policies - end # Observability Policy - start -- name: policy-ocm-observability +- name: policy-observability-storage consolidateManifests: false categories: - CA Assessment Authorization and Monitoring @@ -122,7 +122,17 @@ policies: dependencies: - name: policy-odf-status manifests: - - path: input-acm-observability/ + - path: input-acm-observability/storage.yaml +- name: policy-observability-operator + consolidateManifests: false + categories: + - CA Assessment Authorization and Monitoring + controls: + - CA-7 Continuous Monitoring + dependencies: + - name: policy-observability-storage + manifests: + - path: input-acm-observability/operator.yaml # Observability Policy - end # ODF Policies - start - name: policy-odf @@ -132,6 +142,15 @@ policies: - SI-7 Software Firmware and Information Integrity manifests: - path: input-odf/policy-odf.yaml +- name: policy-odf-cluster + categories: + - SI System and Information Integrity + controls: + - SI-7 Software Firmware and Information Integrity + dependencies: + - name: policy-odf + manifests: + - path: input-odf/policy-odf-cluster.yaml - name: policy-odf-status categories: - SI System and Information Integrity