Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create a policy to automatically import discovered ROSA clusters #470

Merged
merged 1 commit into from
May 17, 2024
+102 −0
Merged

Create a policy to automatically import discovered ROSA clusters #470

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
101 changes: 101 additions & 0 deletions community/CM-Configuration-Management/policy-rosa-autoimport.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,101 @@
apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
name: policy-rosa-autoimport
annotations:
policy.open-cluster-management.io/standards: NIST SP 800-53
policy.open-cluster-management.io/categories: CM Configuration Management
policy.open-cluster-management.io/controls: CM-2 Baseline Configuration
policy.open-cluster-management.io/description: Discovered clusters that are of
type ROSA can be automatically imported into ACM as managed clusters. This
policy helps you select those managed clusters and configure them so the import
will happen. If you do not want all of your ROSA clusters to be automatically
imported, you can configure filters or add an annotation.
spec:
remediationAction: inform
disabled: false
policy-templates:
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: policy-rosa-autoimport
spec:
remediationAction: inform
severity: low
object-templates-raw: |
- complianceType: musthave
objectDefinition:
apiVersion: v1
kind: ConfigMap
metadata:
name: discovery-config
namespace: open-cluster-management-global-set
data:
rosa-filter: ""
{{- /* find the ROSA DiscoveredClusters */ -}}
{{- range $dc := (lookup "discovery.open-cluster-management.io/v1" "DiscoveredCluster" "" "").items }}
{{- /* Check for the flag that indicates the import should be skipped */ -}}
{{- $skip := "false" -}}
{{- range $key, $value := $dc.metadata.annotations }}
{{- if and (eq $key "discovery.open-cluster-management.io/previously-auto-imported")
(eq $value "true") }}
{{- $skip = "true" }}
{{- end }}
{{- end }}
{{- /* if the type is ROSA and the status is Active */ -}}
{{- if and (eq $dc.spec.status "Active")
(contains (fromConfigMap "open-cluster-management-global-set" "discovery-config" "rosa-filter") $dc.spec.displayName)
(eq $dc.spec.type "ROSA")
(eq $skip "false") }}
- complianceType: musthave
objectDefinition:
apiVersion: discovery.open-cluster-management.io/v1
kind: DiscoveredCluster
metadata:
name: {{ $dc.metadata.name }}
namespace: {{ $dc.metadata.namespace }}
spec:
importAsManagedCluster: true
{{- end }}
{{- end }}
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: policy-rosa-managedcluster-status
spec:
remediationAction: inform
severity: low
object-templates-raw: |
{{- /* Use the same DiscoveredCluster list to check ManagedCluster status */ -}}
{{- range $dc := (lookup "discovery.open-cluster-management.io/v1" "DiscoveredCluster" "" "").items }}
{{- /* Check for the flag that indicates the import should be skipped */ -}}
{{- $skip := "false" -}}
{{- range $key, $value := $dc.metadata.annotations }}
{{- if and (eq $key "discovery.open-cluster-management.io/previously-auto-imported")
(eq $value "true") }}
{{- $skip = "true" }}
{{- end }}
{{- end }}
{{- /* if the type is ROSA and the status is Active */ -}}
{{- if and (eq $dc.spec.status "Active")
(contains (fromConfigMap "open-cluster-management-global-set" "discovery-config" "rosa-filter") $dc.spec.displayName)
(eq $dc.spec.type "ROSA")
(eq $skip "false") }}
- complianceType: musthave
objectDefinition:
apiVersion: cluster.open-cluster-management.io/v1
kind: ManagedCluster
metadata:
name: {{ $dc.spec.displayName }}
namespace: {{ $dc.spec.displayName }}
annotations:
cluster.open-cluster-management.io/clusterset: default
status:
conditions:
- type: ManagedClusterAvailable
status: "True"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rather than skip if discovery.open-cluster-management.io/previously-auto-imported is set, it might be cool to just make the clusterset annotation conditional on this so that the policy can still report on the status after it's been imported but still allow the user to change the clusterset.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The ManagedCluster resource won't exist, it will have been deleted after being detached.

{{- end }}
{{- end }}
1 change: 1 addition & 0 deletions community/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -181,6 +181,7 @@ Policy | Description | Prerequisites
[Policy to install and configure OADP operator for stateful application backup](./CM-Configuration-Management/acm-app-pv-backup/resources/policies/oadp-hdr-app-install.yaml) | First of 3 policies, used to backup or restore stateful applications on managed clusters. Used to install OADP on managed clusters and configure the connection to the storage location and installed on both backup and restore operations. | For more information, see [ACM Application Backup and Restore policy readme](./CM-Configuration-Management/acm-app-pv-backup/README.md)
[Policy to backup a stateful application with OADP](./CM-Configuration-Management/acm-app-pv-backup/resources/policies/oadp-hdr-app-backup.yaml) | Second of 3 policies, used to backup stateful applications on managed clusters. | For more information, see [ACM Application Backup and Restore policy readme](./CM-Configuration-Management/acm-app-pv-backup/README.md)
[Policy to restore a stateful application with OADP](./CM-Configuration-Management/acm-app-pv-backup/resources/policies/oadp-hdr-app-restore.yaml) | Last of 3 policies, used to restore stateful applications on managed clusters. | For more information, see [ACM Application Backup and Restore policy readme](./CM-Configuration-Management/acm-app-pv-backup/README.md)
[Policy to automatically import ROSA clusters](./CM-Configuration-Management/policy-rosa-autoimport.yaml) | Use this policy to automatically import discovered ROSA clusters as a managed cluster. | By default this policy will configure ROSA discovered clusters to be automatically imported as a managed cluster. Edit the ConfigMap to adjust the discovered cluster filter. Edit the managed cluster resource to change the default ManagedClusterSet the mananged cluster is added to.


### Contingency Planning
Expand Down