-
Notifications
You must be signed in to change notification settings - Fork 41
/
Copy pathservice-template.yml
1318 lines (1188 loc) · 56.3 KB
/
service-template.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
---
apiVersion: template.openshift.io/v1
kind: Template
metadata:
name: kas-fleet-manager-service
annotations:
openshift.io/display-name: Kas Fleet Manager API
description: Kafka Services Fleet Manager API to managed Kafka
tags: golang
iconClass: icon-shadowman
template.openshift.io/provider-display-name: Red Hat, Inc.
template.openshift.io/documentation-url: https://gitlab.cee.redhat.com/service/
labels:
template: kas-fleet-manager
parameters:
- name: ENVIRONMENT
displayName: Environment
description: Which Kafka Service Fleet Manager environment to use for this deployment
value: production
- name: IMAGE_REGISTRY
displayName: Image Registry
required: true
- name: IMAGE_REPOSITORY
displayName: Image Repository
required: true
- name: VERSION
displayName: Image version
value: latest
- name: IMAGE_TAG
displayName: Image tag
value: latest
- name: GLOG_V
displayName: GLOG V Level
description: Log verbosity level
value: "10"
- name: MEMORY_REQUEST
description: Memory request for the API pods.
value: "512Mi"
- name: MEMORY_LIMIT
description: Memory limit for the API pods.
value: "1Gi"
- name: CPU_REQUEST
description: CPU request for the API pods.
value: "200m"
- name: CPU_LIMIT
description: CPU limit for the API pods.
value: "1"
- name: JWKS_URL
displayName: JWK Token Certificate URL
- name: JWKS_VERIFY_INSECURE
displayName: Skip TLS verification for jwks cert url
value: "false"
- name: OCM_URL
displayName: OCM API Base URL
description: Base path for all OCM APIs
- name: AMS_URL
displayName: AMS API Base URL
description: Base path for all AMS APIs
- name: OCM_DEBUG
displayName: OCM API Debug mode
description: Debug mode for OCM API client
value: "false"
- name: REPLICAS
description: Number of replicas of the service to run.
value: "3"
- name: ENABLE_HTTPS
displayName: Enable HTTPS
description: Enable HTTPS rather than HTTP
value: "true"
- name: API_SERVER_BINDADDRESS
displayName: API Server Bindaddress
description: API server bind address
value: :8000
- name: METRICS_SERVER_BINDADDRESS
displayName: Metrics Server Bindaddress
description: Metrics server bind address
value: :8080
- name: HEALTH_CHECK_SERVER_BINDADDRESS
displayName: Health check Server Bindaddress
description: Health check server bind address
value: :8083
- name: DB_MAX_OPEN_CONNS
displayName: Maximum Open Database Connections
description: Maximum number of open database connections per pod
value: "50"
- name: DB_SSLMODE
displayName: DB SSLmode
description: Database ssl mode (disable | require | verify-ca | verify-full)
value: "disable"
- name: ENABLE_DB_DEBUG
displayName: Enable DB Debug
description: framework's debug mode
value: "false"
- name: ENABLE_METRICS_HTTPS
displayName: Enable Metrics HTTPS
description: Enable HTTPS for metrics server
value: "false"
- name: ENABLE_OCM_MOCK
displayName: Enable OCM Mock
description: Enable mock ocm client
value: "false"
- name: OCM_MOCK_MODE
displayName: OCM mock mode
description: OCM mock mode
value: "emulate-server"
- name: ENABLE_SENTRY
displayName: Enable Sentry Error Reporting
value: "false"
- name: SENTRY_URL
displayName: Sentry base URL
description: Base URL (without https://) of sentry server
value: "sentry.autom8.in"
- name: SENTRY_PROJECT
displayName: Sentry Project ID
value: "8"
- name: ENABLE_SENTRY_DEBUG
displayName: Enable Sentry Debug Logging
value: "false"
- name: SENTRY_TIMEOUT
displayName: Sentry Timeout
description: Timeout for all Sentry operations
value: "5s"
- name: SUPPORTED_CLOUD_PROVIDERS
displayName: Supported Cloud Providers
description: A list of supported cloud providers in a yaml format.
value: "[{name: aws, default: true, regions: [{name: us-east-1, default: true, supported_instance_type: {standard: {}, developer: {}}}]}]"
- name: SUPPORTED_INSTANCE_TYPES
displayName: Supported Kafka instance types
description: A list of supported Kafka instance types in a yaml format.
value: "[{id: standard, display_name: Standard, supported_billing_models: [{id: standard, ams_resource: rhosak, ams_product: RHOSAK, ams_billing_models: [standard]}, {id: marketplace, ams_resource: rhosak, ams_product: RHOSAK, ams_billing_models: [marketplace, marketplace-rhm, marketplace-aws]}, {id: eval, ams_resource: rhosak, ams_product: RHOSAKEval, ams_billing_models: [standard], grace_period_days: 4}, {id: enterprise, ams_resource: rhosak, ams_product: RHOSAKCC, ams_billing_models: [standard]}], sizes: [{id: x1, display_name: '1', ingressThroughputPerSec: 50Mi, egressThroughputPerSec: 100Mi, totalMaxConnections: 9000, maxConnectionAttemptsPerSec: 100, maxDataRetentionSize: 1000Gi, maxDataRetentionPeriod: P14D, maxPartitions: 1500, maxMessageSize: 1Mi, minInSyncReplicas: 2, replicationFactor: 3, quotaConsumed: 1, quotaType: RHOSAK, capacityConsumed: 1, supportedAZModes: [multi], maturityStatus: stable}, {id: x2, display_name: '2', ingressThroughputPerSec: 100Mi, egressThroughputPerSec: 200Mi, totalMaxConnections: 18000, maxDataRetentionSize: 2000Gi, maxPartitions: 3000, maxMessageSize: 1Mi, minInSyncReplicas: 2, replicationFactor: 3, maxDataRetentionPeriod: P14D, maxConnectionAttemptsPerSec: 200, quotaConsumed: 2, quotaType: RHOSAK, capacityConsumed: 2, supportedAZModes: [multi], maturityStatus: preview}]}, {id: developer, display_name: Trial, supported_billing_models: [{id: standard, ams_resource: rhosak, ams_product: RHOSAKTrial, ams_billing_models: [standard]}], sizes: [{id: x1, display_name: '1', ingressThroughputPerSec: 1Mi, egressThroughputPerSec: 1Mi, totalMaxConnections: 100, maxConnectionAttemptsPerSec: 50, maxDataRetentionSize: 10Gi, maxDataRetentionPeriod: P14D, maxPartitions: 100, maxMessageSize: 1Mi, minInSyncReplicas: 1, quotaConsumed: 1, replicationFactor: 1, quotaType: RHOSAKTrial, capacityConsumed: 1, supportedAZModes: [single], lifespanSeconds: 172800, maturityStatus: stable}]}]"
- name: DYNAMIC_SCALING_CONFIG
displayName: Dynamic Scaling configuration
description: "YAML content containing a map of the dynamic scaling configuration for each instance type"
value: "{new_data_plane_openshift_version: '', enable_dynamic_data_plane_scale_up: false, enable_dynamic_data_plane_scale_down: false, compute_machine_per_cloud_provider: {aws: {cluster_wide_workload: {compute_machine_type: m5.2xlarge, compute_node_autoscaling: {min_compute_nodes: 3, max_compute_nodes: 18}}, kafka_workload_per_instance_type: {standard: {compute_machine_type: r5.xlarge, compute_node_autoscaling: {min_compute_nodes: 3, max_compute_nodes: 18}}, developer: {compute_machine_type: m5.2xlarge, compute_node_autoscaling: {min_compute_nodes: 1, max_compute_nodes: 3}}}}, gcp: {cluster_wide_workload: {compute_machine_type: custom-8-32768, compute_node_autoscaling: {min_compute_nodes: 3, max_compute_nodes: 18}}, kafka_workload_per_instance_type: {standard: {compute_machine_type: custom-8-32768, compute_node_autoscaling: {min_compute_nodes: 3, max_compute_nodes: 18}}, developer: {compute_machine_type: custom-8-32768, compute_node_autoscaling: {min_compute_nodes: 1, max_compute_nodes: 3}}}}}}"
- name: NODE_PREWARMING_CONFIG
displayName: Node prewarming configuration
description: "YAML content containing a map of the node prewarming configuration for each instance type"
value: "{}"
- name: ADMIN_AUTHZ_CONFIG
displayName: Admin API AUTHZ configuration
description: "YAML configuration for admin API endpoints authorization"
value: "[{method: GET, roles: [kas-fleet-manager-admin-full, kas-fleet-manager-admin-read, kas-fleet-manager-admin-write]}, {method: PATCH, roles: [kas-fleet-manager-admin-full, kas-fleet-manager-admin-write]}, {method: DELETE, roles: [kas-fleet-manager-admin-full]}]"
- name: ENABLE_KAFKA_EXTERNAL_CERTIFICATE
displayName: Enable Kafka TLS
description: Enable the Kafka TLS certificate
value: "false"
- name: KAFKA_TLS_CERTIFICATE_MANAGEMENT_MUST_STAPLE
displayName: The tls certificate management must stample
description: The tls certificate management must staple. Adds the must staple TLS extension to the certificate signing request.
value: "false"
- name: KAFKA_TLS_CERTIFICATE_MANAGEMENT_STRATEGY
displayName: The tls certificate management strategy
description: The tls certificate management strategy. Possible options are manual and automaitic.
value: "manual"
- name: KAFKA_TLS_CERTIFICATE_MANAGEMENT_STORAGE_TYPE
displayName: The tls certificate management storage type.
description: The tls certificate management storage type. Available options are in-memory, file and secure-storage.
value: "secure-storage"
- name: KAFKA_TLS_CERTIFICATE_MANAGEMENT_EMAIL
displayName: The tls certificate management email.
description: The tls certificate management email. This is required when strategy is automatic
- name: KAFKA_TLS_CERTIFICATE_MANAGEMENT_RENEWAL_WINDOW_RATIO
displayName: The tls certificate management renewal window ratio.
description: The tls certificate management renewal window ratio i.e how much of a certificate's lifetime becomes the renewal window
value: "0.3333333333"
- name: KAFKA_TLS_CERTIFICATE_MANAGEMENT_SECURE_STORAGE_CACHE_TTL
displayName: The tls certificate management certificate cache ttl.
description: The cache duration of the certificate when secure-storage is used. Past this duration, the cached certificate will be refreshed from the secure storage on its retrieval
value: "10m"
- name: ENABLE_KAFKA_CNAME_REGISTRATION
displayName: Enable Kafka CNAME Registration
description: Enable Kafka DNS CNAME Registration
value: "false"
- name: RECONCILER_REPEAT_INTERVAL
displayName: Repeat Interval
description: The interval between cluster reconciliations.
value: "30s"
- name: LEADER_ELECTION_RECONCILER_REPEAT_INTERVAL
displayName: Leader Election Repeat Interval
description: The interval between Leader Elections.
value: "15s"
- name: LEADER_LEASE_EXPIRATION_TIME
displayName: Leaser Lease expiration time
description: This is the amount of time before a leader lease expires.
value: "1m"
- name: OBSERVATORIUM_RHSSO_TENANT
displayName: Observatorium Red Hat SSO tenant
description: Observatorium Red Hat SSO tenant for observability stack.
value: ""
- name: OBSERVATORIUM_TOKEN_REFRESHER_URL
displayName: Observatorium Red Hat SSO token refresher URL
description: Observatorium Red Hat SSO token refresher URL for observability stack.
value: ""
- name: DATAPLANE_OBSERVABILITY_CONFIG_ENABLE
displayName: Enable dataplane observability
description: Enable sending metrics to the remote write receiver which is configured in the file referenced from --dataplane-observability-config-file-path.
value: "false"
- name: OBSERVATORIUM_TIMEOUT
displayName: observatorium Request Timeout (seconds)
description: Timeout duration for all requests made to Observatorium
value: "120s"
- name: OBSERVATORIUM_INSECURE
displayName: Observatorium ssl mode (disable)
value: "true"
- name: ENABLE_TERMS_ACCEPTANCE
displayName: Enable terms acceptance
description: If enabled, kafkas can't be created unless required terms are accepted
value: "false"
- name: ENABLE_DENY_LIST
displayName: Enable the Deny List
description: Enable the denied list access control feature
value: "false"
- name: ENABLE_ACCESS_LIST
displayName: Enable the Access List
description: Enable the Access list access control feature
value: "false"
- name: ENABLE_INSTANCE_LIMIT_CONTROL
displayName: Enable instance limit control
description: Enable to enforce limits on how much instances a user can create.
value: "true"
- name: MAX_ALLOWED_INSTANCES
displayName: Maximum allowed instances
description: The default value of maximum number of instances that can be created by users.
value: "1"
- name: MAX_ALLOWED_SERVICE_ACCOUNTS
displayName: Maximum allowed service accounts
description: The default value of maximum number of service accounts that can be created by users.
value: "2"
- name: SERVICE_ACCOUNT_LIMIT_CHECK_SKIP_ORG_ID_LIST
displayName: A list of Org Ids for which service account limit checks dont apply.
description: A list of Org Ids for which service account limit checks dont apply.
value: "[]"
- name: MAX_LIMIT_FOR_SSO_GET_CLIENTS
displayName: Max clients fetch by get clients
description: The default value of maximum number of clients fetch from mas-sso.
value: "100"
- name: REGISTERED_SERVICE_ACCOUNTS
displayName: A list of service accounts
description: A list of service accounts that are allowed to create standard KAFKA instances without requiring an organisation to do so in a yaml format.
value: "[]"
- name: REGISTERED_USERS_PER_ORGANISATION
displayName: A list of users per organisation
description: A list of users that are allowed to create standard KAFKA instances via their organisation in a yaml format.
value: "[{id: 13640203, any_user: true, max_allowed_instances: 5, registered_users: [], granted_quota: [{instance_type_id: standard, kafka_billing_models: [{id: standard, max_allowed_instances: 5}, {id: marketplace, max_allowed_instances: 5}, {id: enterprise, max_allowed_instances: 5}]}]}, {id: 12147054, any_user: true, max_allowed_instances: 1, registered_users: [], granted_quota: [{instance_type_id: standard, kafka_billing_models: [{id: standard, max_allowed_instances: 1}, {id: enterprise, max_allowed_instances: 1}]}]}, {id: 13639843, any_user: true, max_allowed_instances: 1, registered_users: [], granted_quota: [{instance_type_id: standard, kafka_billing_models: [{id: standard, max_allowed_instances: 1}, {id: enterprise, max_allowed_instances: 1}]}]}, {id: 13785172, any_user: true, max_allowed_instances: 1, registered_users: [], granted_quota: [{instance_type_id: standard, kafka_billing_models: [{id: standard, max_allowed_instances: 1}, {id: enterprise, max_allowed_instances: 1}]}]}, {id: 13645369, any_user: true, max_allowed_instances: 3, registered_users: [], granted_quota: [{instance_type_id: standard, kafka_billing_models: [{id: standard, max_allowed_instances: 3}, {id: enterprise, max_allowed_instances: 3}]}]}]"
- name: TENANT_USERNAME_CLAIM
displayName: Token claims username key
description: Token claims key to retrieve the corresponding user principal.
value: "username"
- name: TENANT_ID_CLAIM
displayName: Token claims organisation ID key
description: Token claims key to retrieve the corresponding organisation ID.
value: "org_id"
- name: TENANT_ORG_ADMIN_CLAIM
displayName: Token claims organisation admin access key
description: Token claims key to retrieve the corresponding organisation admin role.
value: "is_org_admin"
- name: ALTERNATE_TENANT_USERNAME_CLAIM
displayName: Token claims alternative username key
description: Token claims key to retrieve the corresponding user principal using an alternative claim.
value: "preferred_username"
- name: TENANT_USER_ID_CLAIM
displayName: Token claims Account ID key
description: Token claims key to retrieve the corresponding Account ID.
value: "account_id"
- name: ALTERNATE_TENANT_ID_CLAIM
displayName: Token claims alternative organisation ID key.
description: Token claims key to retrieve the corresponding organisation ID using an alternative claim.
value: "rh-org-id"
- name: DENIED_USERS
displayName: A list of denied users given by their usernames
description: A list of denied users that are not allowed to access the service. A user is identified by its username.
value: "[]"
- name: ACCEPTED_ORGANISATIONS
displayName: A list of accepted organisations given by their orgId
description: A list of accepted organisations that are allowed to access the service. An organisation is identified by its orgId.
value: "[]"
- name: READ_ONLY_USERS
displayName: A list of read only users given by their usernames
description: A list of read only users. A user is identified by its username.
value: "[]"
- name: KAFKA_SRE_USERS
displayName: A list of kafka-sre admin users given by their usernames
description: A list of kafka-sre admin users. A user is identified by its username.
value: "[]"
- name: MAS_SSO_DEBUG
displayName: MAS SSO API Debug mode
description: Debug mode for MAS SSO API client
value: "false"
- name: MAS_SSO_ENABLE_AUTH
displayName: Enable MAS SSO Auth
description: Enable MAS SSO Auth for the data plane
value: "true"
- name: ENABLE_KAFKA_SRE_IDENTITY_PROVIDER_CONFIGURATION
displayName: Enable the configuration of Kafka_SRE identity provider on the data plane cluster
description: Enable the configuration of Kafka_SRE identity provider on the data plane cluster
value: "true"
- name: MAS_SSO_INSECURE
displayName: Enable MAS SSO Insecure Connection
description: Enable MAS SSO insecure connection
value: "false"
- name: MAS_SSO_BASE_URL
displayName: MAS SSO Host Url
description: MAS SSO Host url
- name: MAS_SSO_REALM
displayName: MAS SSO REALM for Kafka SSO Clients and Service Accounts
description: MAS SSO realm for Kafka SSO Clients and Service Accounts
- name: USER_NAME_CLAIM
displayName: Kafka Oauth spec human readable token claim attribute
description: Kafka Oauth spec human readable token claim attribute
value: "clientId"
- name: FALL_BACK_USER_NAME_CLAIM
displayName: Kafka Oauth spec fall back human readable token claim attribute
description: Kafka Oauth spec fall back human readable token claim attribute
value: "preferred_username"
- name: OSD_IDP_MAS_SSO_REALM
displayName: MAS SSO REALM for OSD Cluster Identity Provider Clients
description: MAS SSO realm for OSD Cluster Identity Provider Clients
value: "interim-test-realm"
- name: SSO_PROVIDER_TYPE
description: Option to choose between sso providers i.e, mas_sso or redhat_sso, mas_sso by default
value: "mas_sso"
- name: REDHAT_SSO_BASE_URL
description: redhat_sso base url
value: "https://sso.redhat.com"
- name: ADMIN_API_SSO_BASE_URL
description: Admin API SSO Base URL
value: "https://auth.redhat.com"
- name: ADMIN_API_SSO_ENDPOINT_URI
description: Admin API SSO Endpoint URI
value: "/auth/realms/EmployeeIDP"
- name: ADMIN_API_SSO_REALM
description: Admin API SSO Realm
value: "EmployeeIDP"
- name: ALLOW_DEVELOPER_INSTANCE
displayName: Allow Developer Instance
description: Allow the creation of one kafka developer instance per user
value: "true"
- name: QUOTA_TYPE
displayName: Quota type
description: Tye type of quota management service to be used. Available options are 'ams' and "quota-management-list"
value: "quota-management-list"
- name: KAS_FLEETSHARD_POLL_INTERVAL
displayName: Kas-fleetshard-operator poll interval
description: Interval defining how often the synchronizer polls and gets updates from the control plane
value: "15s"
- name: KAS_FLEETSHARD_RESYNC_INTERVAL
displayName: Kas-fleetshard-operator resync interval
description: Interval defining how often the synchronizer reports back status changes to the control plane
value: "60s"
- name: OBSERVABILITY_CONFIG_REPO
displayName: Observability configuration repo URL
description: URL of the observability configuration repo, either a Github or a Quay repository
value: "quay.io/rhoas/observability-resources-mk"
- name: OBSERVABILITY_CONFIG_CHANNEL
displayName: Observability configuration channel
description: Channel of the observability configuration
value: "resources"
- name: OBSERVABILITY_CONFIG_TAG
displayName: Observability configuration tag
description: Tag or branch in a Github repository, or image tag in a Quay repository
value: "latest"
- name: SERVICE_PUBLIC_HOST_URL
displayName: The public HTTP host URL of the service
description: The public HTTP host URL of the service
value: "https://api.openshift.com"
- name: DATAPLANE_CLUSTER_SCALING_TYPE
displayName: Data Plane Cluster Scaling Type
description: Data Plane Cluster Scaling type (manual/auto/none). If set to none, scaling is disabled.
value: "manual"
- name: CLUSTER_LIST
displayName: A list of cluster to be registered in kas fleet manager
description: A list of cluster to be registered in kas fleet manager
value: "[]"
- name: ENVOY_IMAGE
description: Envoy image
value: envoyproxy/envoy:v1.25.1
- name: KAFKA_DOMAIN_NAME
description: The domain name to use for Kafka instances
value: kafka.bf2.dev
- name: BROWSER_URL
description: browser url pointing to the kafka admin console
value: "http://localhost:8080/"
- name: STRIMZI_OPERATOR_ADDON_ID
displayName: Strimzi operator addon ID
description: ID of the Strimzi operator addon
value: "managed-kafka-qe"
- name: KAS_FLEETSHARD_ADDON_ID
displayName: kas-fleetshard addon ID
description: ID of the kas-fleetshard addon
value: "kas-fleetshard-operator-qe"
- name: CLUSTER_LOGGING_OPERATOR_ADDON_ID
displayName: Cluster logging operator addon ID
description: ID of the cluster logging operator addon
value: ""
- name: ENABLE_READY_DATA_PLANE_CLUSTERS_RECONCILE
description: Enables reconciliation for data plane clusters in the 'Ready' state
value: "true"
- name: ENABLE_KAFKA_OWNER
description: Enable setting up kafka owners from a configuration list
value: "false"
- name: KAFKA_OWNERS
description: Setting up kafka owners from configuration
value: "[]"
- name: STRIMZI_OLM_INDEX_IMAGE
displayName: Strimzi operator OLM index image
description: Strimzi operator OLM index image
value: "quay.io/osd-addons/managed-kafka:production-82b42db"
- name: STRIMZI_OLM_PACKAGE_NAME
displayName: Strimzi operator OLM package name
description: Strimzi operator OLM package name
value: "managed-kafka"
- name: KAS_FLEETSHARD_OLM_INDEX_IMAGE
displayName: kas-fleetshard operator OLM index image
description: kas-fleetshard operator OLM index image
value: "quay.io/osd-addons/kas-fleetshard-operator:production-82b42db"
- name: KAS_FLEETSHARD_OLM_PACKAGE_NAME
displayName: kas-fleetshard operator OLM package name
description: kas-fleetshard operator OLM package name
value: "kas-fleetshard-operator"
- name: OBSERVABILITY_OPERATOR_INDEX_IMAGE
displayName: Observability operator index image
description: Observability operator index image
value: "quay.io/rhoas/observability-operator-index:v4.2.1"
- name: OBSERVABILITY_OPERATOR_STARTING_CSV
displayName: Observability operator subscription starting csv
description: Observability operator subscription starting csv
value: "observability-operator.v4.2.1"
- name: IMAGE_PULL_POLICY
displayName: image pull policy
description: image pull polilcy
value: "IfNotPresent"
- name: TOKEN_ISSUER_URL
displayName: A token issuer url
description: A token issuer url used to validate if JWT token used are coming from the given issuer
value: "https://sso.redhat.com/auth/realms/redhat-external"
- name: SSO_SPECIAL_MANAGEMENT_ORG_ID
displayName: Speical Management Organization ID
description: Special Management Organization ID used for creating internal Service accounts
value: "13640203"
- name: STRIMZI_OPERATOR_SUBSCRIPTION_CONFIG
displayName: Strimzi operator subscription config
description: Strimzi operator subscription config. This is applied for standalone clusters only. The configuration must be of type https://pkg.go.dev/github.com/operator-framework/[email protected]/pkg/operators/v1alpha1?utm_source=gopls#SubscriptionConfig
value: "{}"
- name: KAS_FLEETSHARD_OPERATOR_SUBSCRIPTION_CONFIG
displayName: Kas-fleetshard operator subscription config
description: kas-fleetshard operator subscription config. This is applied for standalone clusters only. The configuration must be of type https://pkg.go.dev/github.com/operator-framework/[email protected]/pkg/operators/v1alpha1?utm_source=gopls#SubscriptionConfig
value: "{}"
- name: STRIMZI_OPERATOR_STARTING_CSV
displayName: Strimzi operator subscription starting csv
description: Strimzi operator subscription starting csv
- name: KAS_FLEETSHARD_OPERATOR_STARTING_CSV
displayName: Kas-fleetshard operator subscription starting config
description: Kas-fleetshard operator subscription starting config
- name: MAX_ALLOWED_DEVELOPER_INSTANCES
displayName: Max allowed developer instances config
description: As a user, one can create up to N defined max developer instances if they do not have quota to create standard instances.
value: "1"
- name: OBSERVABILITY_ENABLE_CLOUDWATCHLOGGING
displayName: Enable Observability to deliver data plane logs to AWS CloudWatch
description: Enables Observability related AWS CloudWatch Logging. If false, logs from the data plane won't be sent to CloudWatch through Observability
value: "false"
- name: AWS_SECRET_MANAGER_REGION
description: The AWS region of secret manager to use to store secrets
value: "us-east-1"
- name: AWS_SECRET_MANAGER_SECRET_PREFIX
description: Prefix to use for all secret names in AWS secret manager
value: kas-fleet-manager
objects:
- kind: ConfigMap
apiVersion: v1
metadata:
name: kas-fleet-manager-providers-config
annotations:
qontract.recycle: "true"
data:
provider-configuration.yaml: |-
supported_providers: ${SUPPORTED_CLOUD_PROVIDERS}
- kind: ConfigMap
apiVersion: v1
metadata:
name: kas-fleet-manager-kafka-instance-types-config
annotations:
qontract.recycle: "true"
data:
kafka-instance-types-configuration.yaml: |-
supported_instance_types: ${SUPPORTED_INSTANCE_TYPES}
- kind: ConfigMap
apiVersion: v1
metadata:
name: kas-fleet-manager-dynamic-scaling-config
annotations:
qontract.recycle: "true"
data:
dynamic-scaling-configuration.yaml: |-
${DYNAMIC_SCALING_CONFIG}
- kind: ConfigMap
apiVersion: v1
metadata:
name: kas-fleet-manager-node-prewarming-config
annotations:
qontract.recycle: "true"
data:
node-prewarming-configuration.yaml: |-
${NODE_PREWARMING_CONFIG}
- kind: ConfigMap
apiVersion: v1
metadata:
name: kas-fleet-manager-admin-authz-config
annotations:
qontract.recycle: "true"
data:
admin-authz-configuration.yaml: |-
${ADMIN_AUTHZ_CONFIG}
- kind: ConfigMap
apiVersion: v1
metadata:
name: kas-fleet-manager-allowed-users-config
annotations:
qontract.recycle: "true"
data:
quota-management-list-configuration.yaml: |-
registered_service_accounts: ${REGISTERED_SERVICE_ACCOUNTS}
registered_users_per_organisation: ${REGISTERED_USERS_PER_ORGANISATION}
- kind: ConfigMap
apiVersion: v1
metadata:
name: kas-fleet-manager-denied-users-config
annotations:
qontract.recycle: "true"
data:
deny-list-configuration.yaml: |-
${DENIED_USERS}
- kind: ConfigMap
apiVersion: v1
metadata:
name: kas-fleet-manager-accepted-organisations-config
annotations:
qontract.recycle: "true"
data:
access-list-configuration.yaml: |-
${ACCEPTED_ORGANISATIONS}
- kind: ConfigMap
apiVersion: v1
metadata:
name: kas-fleet-manager-kafka-owner-list
annotations:
qontract.recycle: "true"
data:
kafka-owner-list.yaml: |-
${KAFKA_OWNERS}
- kind: ConfigMap
apiVersion: v1
metadata:
name: kas-fleet-manager-read-only-user-list
annotations:
qontract.recycle: "true"
data:
read-only-user-list.yaml: |-
${READ_ONLY_USERS}
- kind: ConfigMap
apiVersion: v1
metadata:
name: kas-fleet-manager-kafka-sre-user-list
annotations:
qontract.recycle: "true"
data:
kafka-sre-user-list.yaml: |-
${KAFKA_SRE_USERS}
- kind: ConfigMap
apiVersion: v1
metadata:
name: kas-fleet-manager-fleetshard-operator-subscription-config
annotations:
qontract.recycle: "true"
data:
kas-fleetshard-operator-subscription-spec-config.yaml: |-
${KAS_FLEETSHARD_OPERATOR_SUBSCRIPTION_CONFIG}
- kind: ConfigMap
apiVersion: v1
metadata:
name: kas-fleet-manager-strimzi-operator-subscription-config
annotations:
qontract.recycle: "true"
data:
strimzi-operator-subscription-spec-config.yaml: |-
${STRIMZI_OPERATOR_SUBSCRIPTION_CONFIG}
- kind: ConfigMap
apiVersion: v1
metadata:
name: kas-fleet-manager-authentication
annotations:
qontract.recycle: "true"
data:
jwks.json: |-
{
"keys": [
{
"kid": "-4elc_VdN_WsOUYf2G4Qxr8GcwIx_KtXUCitatLKlLw",
"kty": "RSA",
"alg": "RS256",
"use": "sig",
"n": "5MvhbE1Mxr2FUYGZiH0z6p-kV-FIUHp4ErxkD6S8Sc5OB7IjRKDSsJzmuwR803cKpeKoIkkUTiznYwCBqAUdP3bIZ8k97X6GX19dOSqL4ej1rjYZYAf9_Jt_Z-0PzIjX50z6TpqeGoh7-6P-634SvbdjatnhTAQ3qsBXfPOHPIPRAZkGfmlM1EdvIlm_d2hQ7nDSETbVC4YHY-iESvUhre-aNmqJU_E6fRnGwFTPS20fPLE5bUNbshvTXn5c-bxtWK9bSCHCRVYUF9QWwDoFX9gGOIpSScHAKQLRR16yOQjOioZ2FeVZnDpWNvZelbQ7LtLN0H5uCJsqDoZDDhDWeFp-25O9ih5M9auT_2IepUlOq3OBMj7i3CJXrvjNQiuGkPHp9xN6kd5H4E5hcqUTmfYdgf1IuXP0cTwYtQor21dWBSpFvxW8l1HGLOaO_rSetNRJ-tZ7FKUK5L6crt1N72AGIay96gNOWNe4POOG_ML1r4h3SKBFdMPwJ-R5KDg7-oRcUT4kLuFtWuQG7bKLJhIxw_SnVFajLGt1d3-OCqX6ozuUbdEW31f9iLZd4w-NUSSHjxP1Uvalk5QfUro9w9fTW73jRIUASnbHunopjt_IkiQswrdIwpfpeBokcf9O757_i0kctQ5M1gyPf4-0yPfuDVkeBAHygoxNJU9H3C0",
"e": "AQAB"
},
{
"kid": "v5MpUEnwk1VYIqifv9G9xmIB2ZLzPttk-0PaEURQQ3I",
"kty": "RSA",
"alg": "RS256",
"use": "sig",
"n": "uYp35gi5YzQeNN5aQOPwLranSJT9aJB-w6Ih4Wn9R6FzEg1OEKwBNNpb-z18reAyhxQMy_bCz3q-J7viX6p5hbclPBakKOjPB4lDzwhvfE1G4vp84zH1bR7m8dd4OXbriojVZ51IPNuItO00nrDrx6PWNP_5ufBUwjJo8-BD-sWm7BP_CVlb8miVh8itpcLJrszpHzF-u0OPqwI_e3P83cYOsXoQRxD4wpo718yqYh4J3NNJQYnyprJMpC3w3QQ5PR28TbBfSHgvtWD1SBuavHh2jwT_6Pi8FqOS1vfX7QA1pxyYZ-zazVxj_zOrCeP3FHyaxTPmn0d5zsXBZCCyhsfCaStnFePTPk-KEGwZAlv43JJjV2rTJc1Lsj1Th7Jq63TvwIGBcFFAtC72N5-jwRjUoeyu_nwO_1r1awvbfrlBF31PG5wxUdVR56PesLO7EVH1_2KrVN7dtgaQkomVk6rULBbCbwhfR1oT3cOxF7d0ajpbzHd2qcfeBzFTABL8dzBp4FcZx5QyYSIOP8fuwSO8zy4rxmBw7HpHGOGFrC3cXWqB33M23IjOpVZbfK46QvJhcGq9QEtOlRO2WVemMcwDSgpceAa7e3ZJx-LO6XyTEjRtTuHMwdLxII3YUlL1hPozrNE1U_ADPGHgnTxGswgBpGOA6rOkWav5uhcj9Cs",
"e": "AQAB"
},
{
"kid": "RIENZmfJ6O4rpkmnswmxgMUznjq3rRuUbz5r9eFiq3E",
"kty": "RSA",
"alg": "RS512",
"use": "sig",
"n": "0BpyPqFrZHF2xluG8wSjUMr_ouktSJiSq3VcOn6xH04rG8wLX-v3JfhXRjtJl3XpSJU7j5GMJzz3Cq3dbgBCpb49gVQkBE7s4NVlN4gLhonn7VekXF6YZlI152ROFxoKWda157BIj3m--JYVKIiVg21WujAOA5WVjy17t3fC_7HDgPMVO6MSo7aCbzOc1NEDJ0-5NBNtqZBBlu240gyhW8FNgIdgna-_QWKsQOUKTDlvOFwEt0IDXd29KU0FOIGRPiKsQ--1eIBg3OLMxlni-DhWBAyVpf5_kP0P8udSqXfWba6i6YmnNAAdaVYV5_EGYCxPhwdwTndNtDErCw1oaw",
"e": "AQAB"
},
{
"kid": "E3DKGdZQ7xTiIvfdFgVXLNupVupFBlcxNUgVCFhDwEg",
"kty": "RSA",
"alg": "RS512",
"use": "sig",
"n": "ta1xAjqdqnH_RlDI1rFtiGWYgnxpzqGflSQXzuiKR1QaipHTeGeLDUTcG1O6nlb9YgEVcJKSP8JQ36QNfXCPKlNcsqUqr81jiL_kSNAD3xHX4Z8ymuA-FW24bLeNwRkdGKGy3aY4giJxXnqB63ArtjmmWaGYEQEriUz16wW0w3H_QJyje3__j_Sh1ya_V7Ct3A6ajTipp-OzAuIgsqXbZz2b8ejr3My5PiXz9t41xKx_u4Mm18BQ4SQ2OvTfA0Of0mZ3Q-FVy2q1WIKwPmCMDyV5bigmvRYblRDCbTvKIGHyEjs1zuAxJqzFJkGpAHpnKfbUdSfO-JWK6fB4V3bPzw",
"e": "AQAB"
}
]
}
- kind: ConfigMap
apiVersion: v1
metadata:
name: kas-fleet-manager-dataplane-cluster-scaling-config
annotations:
qontract.recycle: "true"
data:
dataplane-cluster-configuration.yaml: |-
clusters: ${CLUSTER_LIST}
- kind: ConfigMap
apiVersion: v1
metadata:
name: service-account-limits-check-skip-org-id-list
annotations:
qontract.recycle: "true"
data:
service-account-limits-check-skip-org-id-list.yaml: |-
${SERVICE_ACCOUNT_LIMIT_CHECK_SKIP_ORG_ID_LIST}
- kind: ServiceAccount
apiVersion: v1
metadata:
name: kas-fleet-manager
labels:
app: kas-fleet-manager
- kind: Deployment
apiVersion: apps/v1
metadata:
name: kas-fleet-manager
labels:
app: kas-fleet-manager
spec:
selector:
matchLabels:
app: kas-fleet-manager
replicas: ${{REPLICAS}}
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
labels:
app: kas-fleet-manager
spec:
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchExpressions:
- key: app
operator: In
values:
- kas-fleet-manager
topologyKey: failure-domain.beta.kubernetes.io/zone
weight: 100
serviceAccount: kas-fleet-manager
serviceAccountName: kas-fleet-manager
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
volumes:
- name: tls
secret:
secretName: kas-fleet-manager-tls
- name: kas-fleet-manager-aws-secret-manager
secret:
secretName: kas-fleet-manager-aws-secret-manager
- name: service
secret:
secretName: kas-fleet-manager
- name: dataplane-certificate
secret:
secretName: kas-fleet-manager-dataplane-certificate
- name: rds
secret:
secretName: kas-fleet-manager-rds
- name: observability-cwl-config
secret:
secretName: kas-fleet-manager-observability-cwl-config
optional: true
- name: kas-fleet-manager-providers-config
configMap:
name: kas-fleet-manager-providers-config
- name: kas-fleet-manager-kafka-instance-types-config
configMap:
name: kas-fleet-manager-kafka-instance-types-config
- name: kas-fleet-manager-dynamic-scaling-config
configMap:
name: kas-fleet-manager-dynamic-scaling-config
- name: kas-fleet-manager-node-prewarming-config
configMap:
name: kas-fleet-manager-node-prewarming-config
- name: kas-fleet-manager-admin-authz-config
configMap:
name: kas-fleet-manager-admin-authz-config
- name: kas-fleet-manager-allowed-users-config
configMap:
name: kas-fleet-manager-allowed-users-config
- name: kas-fleet-manager-kafka-owner-list
configMap:
name: kas-fleet-manager-kafka-owner-list
- name: kas-fleet-manager-denied-users-config
configMap:
name: kas-fleet-manager-denied-users-config
- name: kas-fleet-manager-accepted-organisations-config
configMap:
name: kas-fleet-manager-accepted-organisations-config
- name: kas-fleet-manager-read-only-user-list
configMap:
name: kas-fleet-manager-read-only-user-list
- name: kas-fleet-manager-kafka-sre-user-list
configMap:
name: kas-fleet-manager-kafka-sre-user-list
- name: kas-fleet-manager-authentication
configMap:
name: kas-fleet-manager-authentication
- name: kas-fleet-manager-dataplane-cluster-scaling-config
configMap:
name: kas-fleet-manager-dataplane-cluster-scaling-config
- name: service-account-limits-check-skip-org-id-list
configMap:
name: service-account-limits-check-skip-org-id-list
- name: kas-fleet-manager-fleetshard-operator-subscription-config
configMap:
name: kas-fleet-manager-fleetshard-operator-subscription-config
- name: kas-fleet-manager-strimzi-operator-subscription-config
configMap:
name: kas-fleet-manager-strimzi-operator-subscription-config
- name: envoy-config
configMap:
name: kas-fleet-manager-envoy-config
- name: envoy-tls
secret:
secretName: kas-fleet-manager-envoy-tls
- name: envoy-unix-sockets
emptyDir:
medium: Memory
- name: kas-fleet-manager-observatorium-configuration-red-hat-sso
secret:
secretName: kas-fleet-manager-observatorium-configuration-red-hat-sso
initContainers:
- name: migration
image: ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY}:${IMAGE_TAG}
imagePullPolicy: ${IMAGE_PULL_POLICY}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
volumeMounts:
- name: service
mountPath: /secrets/service
- name: rds
mountPath: /secrets/rds
command:
- /usr/local/bin/kas-fleet-manager
- migrate
- --db-host-file=/secrets/rds/db.host
- --db-port-file=/secrets/rds/db.port
- --db-user-file=/secrets/rds/db.user
- --db-password-file=/secrets/rds/db.password
- --db-name-file=/secrets/rds/db.name
- --db-ssl-certificate-file=/secrets/rds/db.ca_cert
- --db-sslmode=${DB_SSLMODE}
- --db-max-open-connections=${DB_MAX_OPEN_CONNS}
- --enable-db-debug=${ENABLE_DB_DEBUG}
- --alsologtostderr
- -v=${GLOG_V}
containers:
- name: service
image: ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY}:${IMAGE_TAG}
imagePullPolicy: ${IMAGE_PULL_POLICY}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
volumeMounts:
- name: tls
mountPath: /secrets/tls
- name: kas-fleet-manager-aws-secret-manager
mountPath: /secrets/aws-secret-manager
- name: service
mountPath: /secrets/service
- name: dataplane-certificate
mountPath: /secrets/dataplane-certificate
- name: kas-fleet-manager-observatorium-configuration-red-hat-sso
mountPath: /secrets/observatorium
- name: observability-cwl-config
mountPath: /secrets/observability
- name: rds
mountPath: /secrets/rds
- name: kas-fleet-manager-providers-config
mountPath: /config/provider-configuration.yaml
subPath: provider-configuration.yaml
- name: kas-fleet-manager-kafka-instance-types-config
mountPath: /config/kafka-instance-types-configuration.yaml
subPath: kafka-instance-types-configuration.yaml
- name: kas-fleet-manager-dynamic-scaling-config
mountPath: /config/dynamic-scaling-configuration.yaml
subPath: dynamic-scaling-configuration.yaml
- name: kas-fleet-manager-node-prewarming-config
mountPath: /config/node-prewarming-configuration.yaml
subPath: node-prewarming-configuration.yaml
- name: kas-fleet-manager-admin-authz-config
mountPath: /config/admin-authz-configuration.yaml
subPath: admin-authz-configuration.yaml
- name: kas-fleet-manager-allowed-users-config
mountPath: /config/quota-management-list-configuration.yaml
subPath: quota-management-list-configuration.yaml
- name: kas-fleet-manager-denied-users-config
mountPath: /config/deny-list-configuration.yaml
subPath: deny-list-configuration.yaml
- name: kas-fleet-manager-accepted-organisations-config
mountPath: /config/access-list-configuration.yaml
subPath: access-list-configuration.yaml
- name: kas-fleet-manager-read-only-user-list
mountPath: /config/read-only-user-list.yaml
subPath: read-only-user-list.yaml
- name: kas-fleet-manager-kafka-sre-user-list
mountPath: /config/kafka-sre-user-list.yaml
subPath: kafka-sre-user-list.yaml
- name: kas-fleet-manager-authentication
mountPath: /config/authentication
- name: kas-fleet-manager-dataplane-cluster-scaling-config
mountPath: /config/dataplane-cluster-configuration.yaml
subPath: dataplane-cluster-configuration.yaml
- name: service-account-limits-check-skip-org-id-list
mountPath: /config/service-account-limits-check-skip-org-id-list.yaml
subPath: service-account-limits-check-skip-org-id-list.yaml
- name: kas-fleet-manager-kafka-owner-list
mountPath: /config/kafka-owner-list.yaml
subPath: kafka-owner-list.yaml
- name: kas-fleet-manager-fleetshard-operator-subscription-config
mountPath: /config/kas-fleetshard-operator-subscription-spec-config.yaml
subPath: kas-fleetshard-operator-subscription-spec-config.yaml
- name: kas-fleet-manager-strimzi-operator-subscription-config
mountPath: /config/strimzi-operator-subscription-spec-config.yaml
subPath: strimzi-operator-subscription-spec-config.yaml
env:
- name: "OCM_ENV"
value: "${ENVIRONMENT}"
command: