From 1249d97e86104e589f4abcd393d020a3aaa0c92a Mon Sep 17 00:00:00 2001 From: Yury Kovalev Date: Thu, 28 Sep 2023 13:46:32 +0200 Subject: [PATCH 1/6] Install addon script --- dp-terraform/ocm/install_addon.sh | 193 ++++++++++++++++++++++++++++++ 1 file changed, 193 insertions(+) create mode 100755 dp-terraform/ocm/install_addon.sh diff --git a/dp-terraform/ocm/install_addon.sh b/dp-terraform/ocm/install_addon.sh new file mode 100755 index 0000000000..b17bc9c6c1 --- /dev/null +++ b/dp-terraform/ocm/install_addon.sh @@ -0,0 +1,193 @@ +#!/usr/bin/env bash + +#TODO(kovayur): enable and review all shellcheck exclusions (SC2034) +#set -euo pipefail + +SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)" + +# shellcheck source=scripts/lib/external_config.sh +source "$SCRIPT_DIR/../../scripts/lib/external_config.sh" + + +if [[ $# -ne 2 ]]; then + echo "Usage: $0 [environment] [cluster]" >&2 + echo "Known environments: integration stage prod" + echo "Cluster typically looks like: acs-{env}-dp-01" + exit 2 +fi + +ENVIRONMENT=$1 +CLUSTER_NAME=$2 + +export AWS_AUTH_HELPER="${AWS_AUTH_HELPER:-aws-saml}" + +init_chamber + +load_external_config fleetshard-sync FLEETSHARD_SYNC_ +load_external_config cloudwatch-exporter CLOUDWATCH_EXPORTER_ +load_external_config logging LOGGING_ +load_external_config observability OBSERVABILITY_ +load_external_config secured-cluster SECURED_CLUSTER_ +load_external_config quay/rhacs-eng QUAY_ + +case $ENVIRONMENT in + dev) + FM_ENDPOINT="http://fleet-manager.rhacs.svc.cluster.local:8000" + OBSERVABILITY_GITHUB_TAG="master" + OBSERVABILITY_OBSERVATORIUM_GATEWAY="https://observatorium-mst.api.nonexistent.openshift.com" + OBSERVABILITY_OPERATOR_VERSION="v4.2.1" + OPERATOR_USE_UPSTREAM="false" + # shellcheck disable=SC2034 + OPERATOR_CHANNEL="stable" + # shellcheck disable=SC2034 + OPERATOR_VERSION="v4.2.0" + FLEETSHARD_SYNC_CPU_REQUEST="${FLEETSHARD_SYNC_CPU_REQUEST:-"200m"}" + FLEETSHARD_SYNC_MEMORY_REQUEST="${FLEETSHARD_SYNC_MEMORY_REQUEST:-"512Mi"}" + FLEETSHARD_SYNC_CPU_LIMIT="${FLEETSHARD_SYNC_CPU_LIMIT:-"500m"}" + FLEETSHARD_SYNC_MEMORY_LIMIT="${FLEETSHARD_SYNC_MEMORY_LIMIT:-"512Mi"}" + SECURED_CLUSTER_ENABLED="false" + ;; + + integration) + FM_ENDPOINT="https://qj3layty4dynlnz.api.integration.openshift.com" + OBSERVABILITY_GITHUB_TAG="master" + OBSERVABILITY_OBSERVATORIUM_GATEWAY="https://observatorium-mst.api.stage.openshift.com" + OBSERVABILITY_OPERATOR_VERSION="v4.2.1" + OPERATOR_USE_UPSTREAM="false" + # shellcheck disable=SC2034 + OPERATOR_CHANNEL="stable" + # shellcheck disable=SC2034 + OPERATOR_VERSION="v4.2.0" + FLEETSHARD_SYNC_CPU_REQUEST="${FLEETSHARD_SYNC_CPU_REQUEST:-"200m"}" + FLEETSHARD_SYNC_MEMORY_REQUEST="${FLEETSHARD_SYNC_MEMORY_REQUEST:-"1024Mi"}" + FLEETSHARD_SYNC_CPU_LIMIT="${FLEETSHARD_SYNC_CPU_LIMIT:-"1000m"}" + FLEETSHARD_SYNC_MEMORY_LIMIT="${FLEETSHARD_SYNC_MEMORY_LIMIT:-"1024Mi"}" + # shellcheck disable=SC2034 + SECURED_CLUSTER_ENABLED="false" # TODO(ROX-18908): enable + ;; + + stage) + FM_ENDPOINT="https://xtr6hh3mg6zc80v.api.stage.openshift.com" + OBSERVABILITY_GITHUB_TAG="stage" + OBSERVABILITY_OBSERVATORIUM_GATEWAY="https://observatorium-mst.api.stage.openshift.com" + OBSERVABILITY_OPERATOR_VERSION="v4.2.1" + OPERATOR_USE_UPSTREAM="false" + # shellcheck disable=SC2034 + OPERATOR_CHANNEL="stable" + # shellcheck disable=SC2034 + OPERATOR_VERSION="v4.2.0" + FLEETSHARD_SYNC_CPU_REQUEST="${FLEETSHARD_SYNC_CPU_REQUEST:-"200m"}" + FLEETSHARD_SYNC_MEMORY_REQUEST="${FLEETSHARD_SYNC_MEMORY_REQUEST:-"1024Mi"}" + FLEETSHARD_SYNC_CPU_LIMIT="${FLEETSHARD_SYNC_CPU_LIMIT:-"1000m"}" + FLEETSHARD_SYNC_MEMORY_LIMIT="${FLEETSHARD_SYNC_MEMORY_LIMIT:-"1024Mi"}" + # shellcheck disable=SC2034 + SECURED_CLUSTER_ENABLED="true" + ;; + + prod) + FM_ENDPOINT="https://api.openshift.com" + OBSERVABILITY_GITHUB_TAG="production" + OBSERVABILITY_OBSERVATORIUM_GATEWAY="https://observatorium-mst.api.openshift.com" + OBSERVABILITY_OPERATOR_VERSION="v4.2.1" + OPERATOR_USE_UPSTREAM="false" + # shellcheck disable=SC2034 + OPERATOR_CHANNEL="stable" + # shellcheck disable=SC2034 + OPERATOR_VERSION="v4.2.0" + FLEETSHARD_SYNC_CPU_REQUEST="${FLEETSHARD_SYNC_CPU_REQUEST:-"200m"}" + FLEETSHARD_SYNC_MEMORY_REQUEST="${FLEETSHARD_SYNC_MEMORY_REQUEST:-"1024Mi"}" + FLEETSHARD_SYNC_CPU_LIMIT="${FLEETSHARD_SYNC_CPU_LIMIT:-"1000m"}" + FLEETSHARD_SYNC_MEMORY_LIMIT="${FLEETSHARD_SYNC_MEMORY_LIMIT:-"1024Mi"}" + # shellcheck disable=SC2034 + SECURED_CLUSTER_ENABLED="true" + ;; + + *) + echo "Unknown environment ${ENVIRONMENT}" + exit 2 + ;; +esac + +CLUSTER_ENVIRONMENT="$(echo "${CLUSTER_NAME}" | cut -d- -f 2 | sed 's,^int$,integration,')" +if [[ $CLUSTER_ENVIRONMENT != "$ENVIRONMENT" ]]; then + echo "Cluster ${CLUSTER_NAME} is expected to be in environment ${CLUSTER_ENVIRONMENT}, not ${ENVIRONMENT}" >&2 + exit 2 +fi + +FLEETSHARD_SYNC_ORG="app-sre" +FLEETSHARD_SYNC_IMAGE="acs-fleet-manager" +# Get HEAD for both main and production. This is the latest merged commit. +FLEETSHARD_SYNC_TAG="$(git rev-parse --short=7 HEAD)" + +if [[ "${ADDON_DRY_RUN:-}" == "true" ]]; then + "${SCRIPT_DIR}/../../scripts/check_image_exists.sh" "${FLEETSHARD_SYNC_ORG}" "${FLEETSHARD_SYNC_IMAGE}" "${FLEETSHARD_SYNC_TAG}" 0 || echo >&2 "Ignoring failed image check in dry-run mode." +else + "${SCRIPT_DIR}/../../scripts/check_image_exists.sh" "${FLEETSHARD_SYNC_ORG}" "${FLEETSHARD_SYNC_IMAGE}" "${FLEETSHARD_SYNC_TAG}" +fi + +echo "Loading external config: audit-logs/${CLUSTER_NAME}" +load_external_config "audit-logs/${CLUSTER_NAME}" AUDIT_LOGS_ + +echo "Loading external config: cluster-${CLUSTER_NAME}" +load_external_config "cluster-${CLUSTER_NAME}" CLUSTER_ + +OPERATOR_SOURCE="redhat-operators" +OPERATOR_USE_UPSTREAM="${OPERATOR_USE_UPSTREAM:-false}" +if [[ "${OPERATOR_USE_UPSTREAM}" == "true" ]]; then + oc login --token="${CLUSTER_ROBOT_OC_TOKEN}" --server="$CLUSTER_URL" + + quay_basic_auth="${QUAY_READ_ONLY_USERNAME}:${QUAY_READ_ONLY_PASSWORD}" + pull_secret_json="$(mktemp)" + trap 'rm -f "${pull_secret_json}"' EXIT + oc get secret/pull-secret -n openshift-config --template='{{index .data ".dockerconfigjson" | base64decode}}' > "${pull_secret_json}" + oc registry login --registry="quay.io/rhacs-eng" --auth-basic="${quay_basic_auth}" --to="${pull_secret_json}" --skip-check + oc set data secret/pull-secret -n openshift-config --from-file=.dockerconfigjson="${pull_secret_json}" + # shellcheck disable=SC2034 + OPERATOR_SOURCE="rhacs-operators" +fi + +ocm post "/api/clusters_mgmt/v1/clusters/${CLUSTER_ID}/addons" << EOF +{ + "addon": { + "id": "acs-fleetshard" + }, + "parameters": { + "items": [ + { "id": "acscs-environment", "value": "${ENVIRONMENT}" }, + { "id": "cloudwatch-aws-access-key-id", "value": "${CLOUDWATCH_EXPORTER_AWS_ACCESS_KEY_ID:-}" }, + { "id": "cloudwatch-aws-secret-access-key", "value": "${CLOUDWATCH_EXPORTER_AWS_SECRET_ACCESS_KEY:-}" }, + { "id": "fleetshard-sync-auth-type", "value": "RHSSO" }, + { "id": "fleetshard-sync-aws-region", "value": "${CLUSTER_REGION}" }, + { "id": "fleetshard-sync-aws-role-arn", "value": "${FLEETSHARD_SYNC_AWS_ROLE_ARN}" }, + { "id": "fleetshard-sync-fleet-manager-endpoint", "value": "${FM_ENDPOINT}" }, + { "id": "fleetshard-sync-managed-db-enabled", "value": "true" }, + { "id": "fleetshard-sync-managed-db-performance-insights", "value": "true" }, + { "id": "fleetshard-sync-managed-db-security-group", "value": "${CLUSTER_MANAGED_DB_SECURITY_GROUP}" }, + { "id": "fleetshard-sync-managed-db-subnet-group", "value": "${CLUSTER_MANAGED_DB_SUBNET_GROUP}" }, + { "id": "fleetshard-sync-red-hat-sso-client-id", "value": "${FLEETSHARD_SYNC_RHSSO_SERVICE_ACCOUNT_CLIENT_ID}" }, + { "id": "fleetshard-sync-red-hat-sso-client-secret", "value": "${FLEETSHARD_SYNC_RHSSO_SERVICE_ACCOUNT_CLIENT_SECRET}" }, + { "id": "fleetshard-sync-red-hat-sso-realm", "value": "redhat-external" }, + { "id": "fleetshard-sync-red-hat-sso-endpoint", "value": "https://sso.redhat.com" }, + { "id": "fleetshard-sync-telemetry-storage-endpoint", "value": "${FLEETSHARD_SYNC_TELEMETRY_STORAGE_ENDPOINT:-}" }, + { "id": "fleetshard-sync-telemetry-storage-key", "value": "${FLEETSHARD_SYNC_TELEMETRY_STORAGE_KEY:-}" }, + { "id": "fleetshard-sync-create-auth-provider", "value": "true" }, + { "id": "logging-aws-access-key-id", "value": "${LOGGING_AWS_ACCESS_KEY_ID}" }, + { "id": "logging-aws-secret-access-key", "value": "${LOGGING_AWS_SECRET_ACCESS_KEY}" }, + { "id": "logging-group-prefix", "value": "${CLUSTER_NAME}" }, + { "id": "logging-aws-region", "value": "us-east-1" }, + { "id": "observability-dead-mans-switch-url", "value": "${OBSERVABILITY_DEAD_MANS_SWITCH_URL}" }, + { "id": "observability-pagerduty-key", "value": "${OBSERVABILITY_PAGERDUTY_ROUTING_KEY}" }, + { "id": "observability-github-access-token", "value": "${OBSERVABILITY_GITHUB_ACCESS_TOKEN}" }, + { "id": "observability-github-repository", "value": "https://api.github.com/repos/stackrox/rhacs-observability-resources/contents" }, + { "id": "observability-github-tag", "value": "${OBSERVABILITY_GITHUB_TAG}" }, + { "id": "observability-operator-version", "value": "${OBSERVABILITY_OPERATOR_VERSION}" }, + { "id": "observability-observatorium-gateway", "value": "${OBSERVABILITY_OBSERVATORIUM_GATEWAY}" }, + { "id": "observability-observatorium-metrics-client-id", "value": "${OBSERVABILITY_OBSERVATORIUM_METRICS_CLIENT_ID}" }, + { "id": "observability-observatorium-metrics-secret", "value": "${OBSERVABILITY_OBSERVATORIUM_METRICS_SECRET}" }, + { "id": "observability-observatorium-auth-type", "value": "redhat" }, + { "id": "observability-observatorium-red-hat-sso-auth-server-url", "value": "https://sso.redhat.com/auth/" }, + { "id": "observability-observatorium-red-hat-sso-realm", "value": "redhat-external" } + ] + } +} +EOF From 9ebc0ff5254d7a05b2b2eb0b12560299926a363e Mon Sep 17 00:00:00 2001 From: Evan B Date: Mon, 9 Oct 2023 11:33:01 +0200 Subject: [PATCH 2/6] Intermediate step - camel case to make diff clearer and sorted by key --- dp-terraform/ocm/install_addon.sh | 70 +++++++++++++++---------------- 1 file changed, 35 insertions(+), 35 deletions(-) diff --git a/dp-terraform/ocm/install_addon.sh b/dp-terraform/ocm/install_addon.sh index b17bc9c6c1..abec7d3437 100755 --- a/dp-terraform/ocm/install_addon.sh +++ b/dp-terraform/ocm/install_addon.sh @@ -149,44 +149,44 @@ fi ocm post "/api/clusters_mgmt/v1/clusters/${CLUSTER_ID}/addons" << EOF { "addon": { - "id": "acs-fleetshard" + "id":"acs-fleetshard" }, "parameters": { "items": [ - { "id": "acscs-environment", "value": "${ENVIRONMENT}" }, - { "id": "cloudwatch-aws-access-key-id", "value": "${CLOUDWATCH_EXPORTER_AWS_ACCESS_KEY_ID:-}" }, - { "id": "cloudwatch-aws-secret-access-key", "value": "${CLOUDWATCH_EXPORTER_AWS_SECRET_ACCESS_KEY:-}" }, - { "id": "fleetshard-sync-auth-type", "value": "RHSSO" }, - { "id": "fleetshard-sync-aws-region", "value": "${CLUSTER_REGION}" }, - { "id": "fleetshard-sync-aws-role-arn", "value": "${FLEETSHARD_SYNC_AWS_ROLE_ARN}" }, - { "id": "fleetshard-sync-fleet-manager-endpoint", "value": "${FM_ENDPOINT}" }, - { "id": "fleetshard-sync-managed-db-enabled", "value": "true" }, - { "id": "fleetshard-sync-managed-db-performance-insights", "value": "true" }, - { "id": "fleetshard-sync-managed-db-security-group", "value": "${CLUSTER_MANAGED_DB_SECURITY_GROUP}" }, - { "id": "fleetshard-sync-managed-db-subnet-group", "value": "${CLUSTER_MANAGED_DB_SUBNET_GROUP}" }, - { "id": "fleetshard-sync-red-hat-sso-client-id", "value": "${FLEETSHARD_SYNC_RHSSO_SERVICE_ACCOUNT_CLIENT_ID}" }, - { "id": "fleetshard-sync-red-hat-sso-client-secret", "value": "${FLEETSHARD_SYNC_RHSSO_SERVICE_ACCOUNT_CLIENT_SECRET}" }, - { "id": "fleetshard-sync-red-hat-sso-realm", "value": "redhat-external" }, - { "id": "fleetshard-sync-red-hat-sso-endpoint", "value": "https://sso.redhat.com" }, - { "id": "fleetshard-sync-telemetry-storage-endpoint", "value": "${FLEETSHARD_SYNC_TELEMETRY_STORAGE_ENDPOINT:-}" }, - { "id": "fleetshard-sync-telemetry-storage-key", "value": "${FLEETSHARD_SYNC_TELEMETRY_STORAGE_KEY:-}" }, - { "id": "fleetshard-sync-create-auth-provider", "value": "true" }, - { "id": "logging-aws-access-key-id", "value": "${LOGGING_AWS_ACCESS_KEY_ID}" }, - { "id": "logging-aws-secret-access-key", "value": "${LOGGING_AWS_SECRET_ACCESS_KEY}" }, - { "id": "logging-group-prefix", "value": "${CLUSTER_NAME}" }, - { "id": "logging-aws-region", "value": "us-east-1" }, - { "id": "observability-dead-mans-switch-url", "value": "${OBSERVABILITY_DEAD_MANS_SWITCH_URL}" }, - { "id": "observability-pagerduty-key", "value": "${OBSERVABILITY_PAGERDUTY_ROUTING_KEY}" }, - { "id": "observability-github-access-token", "value": "${OBSERVABILITY_GITHUB_ACCESS_TOKEN}" }, - { "id": "observability-github-repository", "value": "https://api.github.com/repos/stackrox/rhacs-observability-resources/contents" }, - { "id": "observability-github-tag", "value": "${OBSERVABILITY_GITHUB_TAG}" }, - { "id": "observability-operator-version", "value": "${OBSERVABILITY_OPERATOR_VERSION}" }, - { "id": "observability-observatorium-gateway", "value": "${OBSERVABILITY_OBSERVATORIUM_GATEWAY}" }, - { "id": "observability-observatorium-metrics-client-id", "value": "${OBSERVABILITY_OBSERVATORIUM_METRICS_CLIENT_ID}" }, - { "id": "observability-observatorium-metrics-secret", "value": "${OBSERVABILITY_OBSERVATORIUM_METRICS_SECRET}" }, - { "id": "observability-observatorium-auth-type", "value": "redhat" }, - { "id": "observability-observatorium-red-hat-sso-auth-server-url", "value": "https://sso.redhat.com/auth/" }, - { "id": "observability-observatorium-red-hat-sso-realm", "value": "redhat-external" } + { "id": "acscsEnvironment", "value": "${ENVIRONMENT}" }, + { "id": "cloudwatchAwsAccessKeyId", "value": "${CLOUDWATCH_EXPORTER_AWS_ACCESS_KEY_ID:-}" }, + { "id": "cloudwatchAwsSecretAccessKey", "value": "${CLOUDWATCH_EXPORTER_AWS_SECRET_ACCESS_KEY:-}" }, + { "id": "fleetshardSyncAuthType", "value": "RHSSO" }, + { "id": "fleetshardSyncAwsRegion", "value": "${CLUSTER_REGION}" }, + { "id": "fleetshardSyncAwsRoleArn", "value": "${FLEETSHARD_SYNC_AWS_ROLE_ARN}" }, + { "id": "fleetshardSyncCreateAuthProvider", "value": "true" }, + { "id": "fleetshardSyncFleetManagerEndpoint", "value": "${FM_ENDPOINT}" }, + { "id": "fleetshardSyncManagedDbEnabled", "value": "true" }, + { "id": "fleetshardSyncManagedDbPerformanceInsights", "value": "true" }, + { "id": "fleetshardSyncManagedDbSecurityGroup", "value": "${CLUSTER_MANAGED_DB_SECURITY_GROUP}" }, + { "id": "fleetshardSyncManagedDbSubnetGroup", "value": "${CLUSTER_MANAGED_DB_SUBNET_GROUP}" }, + { "id": "fleetshardSyncRedHatSsoClientId", "value": "${FLEETSHARD_SYNC_RHSSO_SERVICE_ACCOUNT_CLIENT_ID}" }, + { "id": "fleetshardSyncRedHatSsoClientSecret", "value": "${FLEETSHARD_SYNC_RHSSO_SERVICE_ACCOUNT_CLIENT_SECRET}" }, + { "id": "fleetshardSyncRedHatSsoEndpoint", "value": "https://sso.redhat.com" }, + { "id": "fleetshardSyncRedHatSsoRealm", "value": "redhat-external" }, + { "id": "fleetshardSyncTelemetryStorageEndpoint", "value": "${FLEETSHARD_SYNC_TELEMETRY_STORAGE_ENDPOINT:-}" }, + { "id": "fleetshardSyncTelemetryStorageKey", "value": "${FLEETSHARD_SYNC_TELEMETRY_STORAGE_KEY:-}" }, + { "id": "loggingAwsAccessKeyId", "value": "${LOGGING_AWS_ACCESS_KEY_ID}" }, + { "id": "loggingAwsRegion", "value": "us-east-1" }, + { "id": "loggingAwsSecretAccessKey", "value": "${LOGGING_AWS_SECRET_ACCESS_KEY}" }, + { "id": "loggingGroupPrefix", "value": "${CLUSTER_NAME}" }, + { "id": "observabilityDeadMansSwitchUrl", "value": "${OBSERVABILITY_DEAD_MANS_SWITCH_URL}" }, + { "id": "observabilityGithubAccessToken", "value": "${OBSERVABILITY_GITHUB_ACCESS_TOKEN}" }, + { "id": "observabilityGithubRepository", "value": "https://api.github.com/repos/stackrox/rhacs-observability-resources/contents" }, + { "id": "observabilityGithubTag", "value": "${OBSERVABILITY_GITHUB_TAG}" }, + { "id": "observabilityObservatoriumAuthType", "value": "redhat" }, + { "id": "observabilityObservatoriumGateway", "value": "${OBSERVABILITY_OBSERVATORIUM_GATEWAY}" }, + { "id": "observabilityObservatoriumMetricsClientId", "value": "${OBSERVABILITY_OBSERVATORIUM_METRICS_CLIENT_ID}" }, + { "id": "observabilityObservatoriumMetricsSecret", "value": "${OBSERVABILITY_OBSERVATORIUM_METRICS_SECRET}" }, + { "id": "observabilityObservatoriumRedHatSsoAuthServerUrl", "value": "https://sso.redhat.com/auth/" }, + { "id": "observabilityObservatoriumRedHatSsoRealm", "value": "redhat-external" } + { "id": "observabilityOperatorVersion", "value": "${OBSERVABILITY_OPERATOR_VERSION}" }, + { "id": "observabilityPagerdutyKey", "value": "${OBSERVABILITY_PAGERDUTY_ROUTING_KEY}" }, ] } } From 9e52e7f336453c6f7d31ab1d8a40d7501b5ba0a8 Mon Sep 17 00:00:00 2001 From: Evan B Date: Mon, 9 Oct 2023 11:51:41 +0200 Subject: [PATCH 3/6] Added parameters to match full complement from terraform_cluster.sh --- dp-terraform/ocm/install_addon.sh | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/dp-terraform/ocm/install_addon.sh b/dp-terraform/ocm/install_addon.sh index abec7d3437..b7bdc74e2e 100755 --- a/dp-terraform/ocm/install_addon.sh +++ b/dp-terraform/ocm/install_addon.sh @@ -154,13 +154,17 @@ ocm post "/api/clusters_mgmt/v1/clusters/${CLUSTER_ID}/addons" << EOF "parameters": { "items": [ { "id": "acscsEnvironment", "value": "${ENVIRONMENT}" }, + { "id": "auditLogsLogGroupName", "value": "${AUDIT_LOGS_LOG_GROUP_NAME}" }, + { "id": "auditLogsRoleArn", "value": "${AUDIT_LOGS_ROLE_ARN:-}" }, { "id": "cloudwatchAwsAccessKeyId", "value": "${CLOUDWATCH_EXPORTER_AWS_ACCESS_KEY_ID:-}" }, { "id": "cloudwatchAwsSecretAccessKey", "value": "${CLOUDWATCH_EXPORTER_AWS_SECRET_ACCESS_KEY:-}" }, { "id": "fleetshardSyncAuthType", "value": "RHSSO" }, { "id": "fleetshardSyncAwsRegion", "value": "${CLUSTER_REGION}" }, { "id": "fleetshardSyncAwsRoleArn", "value": "${FLEETSHARD_SYNC_AWS_ROLE_ARN}" }, - { "id": "fleetshardSyncCreateAuthProvider", "value": "true" }, { "id": "fleetshardSyncFleetManagerEndpoint", "value": "${FM_ENDPOINT}" }, + { "id": "fleetshardSyncImageCredentialsPassword", "value": "${QUAY_READ_ONLY_PASSWORD}" }, + { "id": "fleetshardSyncImageCredentialsRegistry", "value": "quay.io" }, + { "id": "fleetshardSyncImageCredentialsUsername", "value": "${QUAY_READ_ONLY_USERNAME}" }, { "id": "fleetshardSyncManagedDbEnabled", "value": "true" }, { "id": "fleetshardSyncManagedDbPerformanceInsights", "value": "true" }, { "id": "fleetshardSyncManagedDbSecurityGroup", "value": "${CLUSTER_MANAGED_DB_SECURITY_GROUP}" }, @@ -169,6 +173,12 @@ ocm post "/api/clusters_mgmt/v1/clusters/${CLUSTER_ID}/addons" << EOF { "id": "fleetshardSyncRedHatSsoClientSecret", "value": "${FLEETSHARD_SYNC_RHSSO_SERVICE_ACCOUNT_CLIENT_SECRET}" }, { "id": "fleetshardSyncRedHatSsoEndpoint", "value": "https://sso.redhat.com" }, { "id": "fleetshardSyncRedHatSsoRealm", "value": "redhat-external" }, + { "id": "fleetshardSyncResourcesLimitsCpu", "value": "${FLEETSHARD_SYNC_CPU_LIMIT}" }, + { "id": "fleetshardSyncResourcesLimitsMemory", "value": "${FLEETSHARD_SYNC_MEMORY_LIMIT}" }, + { "id": "fleetshardSyncResourcesRequestsCpu", "value": "${FLEETSHARD_SYNC_CPU_REQUEST}" }, + { "id": "fleetshardSyncResourcesRequestsMemory", "value": "${FLEETSHARD_SYNC_MEMORY_REQUEST}" }, + { "id": "fleetshardSyncSecretEncryptionKeyID", "value": "${CLUSTER_SECRET_ENCRYPTION_KEY_ID}" }, + { "id": "fleetshardSyncSecretEncryptionType", "value": "kms" }, { "id": "fleetshardSyncTelemetryStorageEndpoint", "value": "${FLEETSHARD_SYNC_TELEMETRY_STORAGE_ENDPOINT:-}" }, { "id": "fleetshardSyncTelemetryStorageKey", "value": "${FLEETSHARD_SYNC_TELEMETRY_STORAGE_KEY:-}" }, { "id": "loggingAwsAccessKeyId", "value": "${LOGGING_AWS_ACCESS_KEY_ID}" }, @@ -187,6 +197,15 @@ ocm post "/api/clusters_mgmt/v1/clusters/${CLUSTER_ID}/addons" << EOF { "id": "observabilityObservatoriumRedHatSsoRealm", "value": "redhat-external" } { "id": "observabilityOperatorVersion", "value": "${OBSERVABILITY_OPERATOR_VERSION}" }, { "id": "observabilityPagerdutyKey", "value": "${OBSERVABILITY_PAGERDUTY_ROUTING_KEY}" }, + { "id": "securedClusterAdmissionControlServiceTlsCert", "value": "${SECURED_CLUSTER_ADMISSION_CONTROL_CERT}" }, + { "id": "securedClusterAdmissionControlServiceTlsKey", "value": "${SECURED_CLUSTER_ADMISSION_CONTROL_KEY}" }, + { "id": "securedClusterCaCert", "value": "${SECURED_CLUSTER_CA_CERT}" }, + { "id": "securedClusterCentralEndpoint", "value": "${SECURED_CLUSTER_CENTRAL_ENDPOINT}" }, + { "id": "securedClusterCollectorServiceTlsCert", "value": "${SECURED_CLUSTER_COLLECTOR_CERT}" }, + { "id": "securedClusterCollectorServiceTlsKey", "value": "${SECURED_CLUSTER_COLLECTOR_KEY}" }, + { "id": "securedClusterEnabled", "value": "${SECURED_CLUSTER_ENABLED}" }, + { "id": "securedClusterSensorServiceTlsCert", "value": "${SECURED_CLUSTER_SENSOR_CERT}" }, + { "id": "securedClusterSensorServiceTlsKey", "value": "${SECURED_CLUSTER_SENSOR_KEY}" } ] } } From 4c2881891f702537149dde5e04fb78f16cba999b Mon Sep 17 00:00:00 2001 From: Yury Kovalev Date: Mon, 9 Oct 2023 12:54:59 +0200 Subject: [PATCH 4/6] Minor fixes to the script --- dp-terraform/ocm/install_addon.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dp-terraform/ocm/install_addon.sh b/dp-terraform/ocm/install_addon.sh index b7bdc74e2e..297e473a22 100755 --- a/dp-terraform/ocm/install_addon.sh +++ b/dp-terraform/ocm/install_addon.sh @@ -177,7 +177,7 @@ ocm post "/api/clusters_mgmt/v1/clusters/${CLUSTER_ID}/addons" << EOF { "id": "fleetshardSyncResourcesLimitsMemory", "value": "${FLEETSHARD_SYNC_MEMORY_LIMIT}" }, { "id": "fleetshardSyncResourcesRequestsCpu", "value": "${FLEETSHARD_SYNC_CPU_REQUEST}" }, { "id": "fleetshardSyncResourcesRequestsMemory", "value": "${FLEETSHARD_SYNC_MEMORY_REQUEST}" }, - { "id": "fleetshardSyncSecretEncryptionKeyID", "value": "${CLUSTER_SECRET_ENCRYPTION_KEY_ID}" }, + { "id": "fleetshardSyncSecretEncryptionKeyId", "value": "${CLUSTER_SECRET_ENCRYPTION_KEY_ID}" }, { "id": "fleetshardSyncSecretEncryptionType", "value": "kms" }, { "id": "fleetshardSyncTelemetryStorageEndpoint", "value": "${FLEETSHARD_SYNC_TELEMETRY_STORAGE_ENDPOINT:-}" }, { "id": "fleetshardSyncTelemetryStorageKey", "value": "${FLEETSHARD_SYNC_TELEMETRY_STORAGE_KEY:-}" }, @@ -194,7 +194,7 @@ ocm post "/api/clusters_mgmt/v1/clusters/${CLUSTER_ID}/addons" << EOF { "id": "observabilityObservatoriumMetricsClientId", "value": "${OBSERVABILITY_OBSERVATORIUM_METRICS_CLIENT_ID}" }, { "id": "observabilityObservatoriumMetricsSecret", "value": "${OBSERVABILITY_OBSERVATORIUM_METRICS_SECRET}" }, { "id": "observabilityObservatoriumRedHatSsoAuthServerUrl", "value": "https://sso.redhat.com/auth/" }, - { "id": "observabilityObservatoriumRedHatSsoRealm", "value": "redhat-external" } + { "id": "observabilityObservatoriumRedHatSsoRealm", "value": "redhat-external" }, { "id": "observabilityOperatorVersion", "value": "${OBSERVABILITY_OPERATOR_VERSION}" }, { "id": "observabilityPagerdutyKey", "value": "${OBSERVABILITY_PAGERDUTY_ROUTING_KEY}" }, { "id": "securedClusterAdmissionControlServiceTlsCert", "value": "${SECURED_CLUSTER_ADMISSION_CONTROL_CERT}" }, From 4bec2685b7cccfc2b976da59e57c361eeb739319 Mon Sep 17 00:00:00 2001 From: Yury Kovalev Date: Tue, 10 Oct 2023 15:52:16 +0200 Subject: [PATCH 5/6] Add patch endpoint and mask parameters --- dp-terraform/ocm/install_addon.sh | 69 +++++++++++-------------------- 1 file changed, 23 insertions(+), 46 deletions(-) diff --git a/dp-terraform/ocm/install_addon.sh b/dp-terraform/ocm/install_addon.sh index 297e473a22..d6d0f3b554 100755 --- a/dp-terraform/ocm/install_addon.sh +++ b/dp-terraform/ocm/install_addon.sh @@ -1,7 +1,5 @@ #!/usr/bin/env bash - -#TODO(kovayur): enable and review all shellcheck exclusions (SC2034) -#set -euo pipefail +set -euo pipefail SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)" @@ -36,11 +34,6 @@ case $ENVIRONMENT in OBSERVABILITY_GITHUB_TAG="master" OBSERVABILITY_OBSERVATORIUM_GATEWAY="https://observatorium-mst.api.nonexistent.openshift.com" OBSERVABILITY_OPERATOR_VERSION="v4.2.1" - OPERATOR_USE_UPSTREAM="false" - # shellcheck disable=SC2034 - OPERATOR_CHANNEL="stable" - # shellcheck disable=SC2034 - OPERATOR_VERSION="v4.2.0" FLEETSHARD_SYNC_CPU_REQUEST="${FLEETSHARD_SYNC_CPU_REQUEST:-"200m"}" FLEETSHARD_SYNC_MEMORY_REQUEST="${FLEETSHARD_SYNC_MEMORY_REQUEST:-"512Mi"}" FLEETSHARD_SYNC_CPU_LIMIT="${FLEETSHARD_SYNC_CPU_LIMIT:-"500m"}" @@ -53,16 +46,10 @@ case $ENVIRONMENT in OBSERVABILITY_GITHUB_TAG="master" OBSERVABILITY_OBSERVATORIUM_GATEWAY="https://observatorium-mst.api.stage.openshift.com" OBSERVABILITY_OPERATOR_VERSION="v4.2.1" - OPERATOR_USE_UPSTREAM="false" - # shellcheck disable=SC2034 - OPERATOR_CHANNEL="stable" - # shellcheck disable=SC2034 - OPERATOR_VERSION="v4.2.0" FLEETSHARD_SYNC_CPU_REQUEST="${FLEETSHARD_SYNC_CPU_REQUEST:-"200m"}" FLEETSHARD_SYNC_MEMORY_REQUEST="${FLEETSHARD_SYNC_MEMORY_REQUEST:-"1024Mi"}" FLEETSHARD_SYNC_CPU_LIMIT="${FLEETSHARD_SYNC_CPU_LIMIT:-"1000m"}" FLEETSHARD_SYNC_MEMORY_LIMIT="${FLEETSHARD_SYNC_MEMORY_LIMIT:-"1024Mi"}" - # shellcheck disable=SC2034 SECURED_CLUSTER_ENABLED="false" # TODO(ROX-18908): enable ;; @@ -71,16 +58,10 @@ case $ENVIRONMENT in OBSERVABILITY_GITHUB_TAG="stage" OBSERVABILITY_OBSERVATORIUM_GATEWAY="https://observatorium-mst.api.stage.openshift.com" OBSERVABILITY_OPERATOR_VERSION="v4.2.1" - OPERATOR_USE_UPSTREAM="false" - # shellcheck disable=SC2034 - OPERATOR_CHANNEL="stable" - # shellcheck disable=SC2034 - OPERATOR_VERSION="v4.2.0" FLEETSHARD_SYNC_CPU_REQUEST="${FLEETSHARD_SYNC_CPU_REQUEST:-"200m"}" FLEETSHARD_SYNC_MEMORY_REQUEST="${FLEETSHARD_SYNC_MEMORY_REQUEST:-"1024Mi"}" FLEETSHARD_SYNC_CPU_LIMIT="${FLEETSHARD_SYNC_CPU_LIMIT:-"1000m"}" FLEETSHARD_SYNC_MEMORY_LIMIT="${FLEETSHARD_SYNC_MEMORY_LIMIT:-"1024Mi"}" - # shellcheck disable=SC2034 SECURED_CLUSTER_ENABLED="true" ;; @@ -89,16 +70,10 @@ case $ENVIRONMENT in OBSERVABILITY_GITHUB_TAG="production" OBSERVABILITY_OBSERVATORIUM_GATEWAY="https://observatorium-mst.api.openshift.com" OBSERVABILITY_OPERATOR_VERSION="v4.2.1" - OPERATOR_USE_UPSTREAM="false" - # shellcheck disable=SC2034 - OPERATOR_CHANNEL="stable" - # shellcheck disable=SC2034 - OPERATOR_VERSION="v4.2.0" FLEETSHARD_SYNC_CPU_REQUEST="${FLEETSHARD_SYNC_CPU_REQUEST:-"200m"}" FLEETSHARD_SYNC_MEMORY_REQUEST="${FLEETSHARD_SYNC_MEMORY_REQUEST:-"1024Mi"}" FLEETSHARD_SYNC_CPU_LIMIT="${FLEETSHARD_SYNC_CPU_LIMIT:-"1000m"}" FLEETSHARD_SYNC_MEMORY_LIMIT="${FLEETSHARD_SYNC_MEMORY_LIMIT:-"1024Mi"}" - # shellcheck disable=SC2034 SECURED_CLUSTER_ENABLED="true" ;; @@ -131,30 +106,14 @@ load_external_config "audit-logs/${CLUSTER_NAME}" AUDIT_LOGS_ echo "Loading external config: cluster-${CLUSTER_NAME}" load_external_config "cluster-${CLUSTER_NAME}" CLUSTER_ -OPERATOR_SOURCE="redhat-operators" -OPERATOR_USE_UPSTREAM="${OPERATOR_USE_UPSTREAM:-false}" -if [[ "${OPERATOR_USE_UPSTREAM}" == "true" ]]; then - oc login --token="${CLUSTER_ROBOT_OC_TOKEN}" --server="$CLUSTER_URL" - - quay_basic_auth="${QUAY_READ_ONLY_USERNAME}:${QUAY_READ_ONLY_PASSWORD}" - pull_secret_json="$(mktemp)" - trap 'rm -f "${pull_secret_json}"' EXIT - oc get secret/pull-secret -n openshift-config --template='{{index .data ".dockerconfigjson" | base64decode}}' > "${pull_secret_json}" - oc registry login --registry="quay.io/rhacs-eng" --auth-basic="${quay_basic_auth}" --to="${pull_secret_json}" --skip-check - oc set data secret/pull-secret -n openshift-config --from-file=.dockerconfigjson="${pull_secret_json}" - # shellcheck disable=SC2034 - OPERATOR_SOURCE="rhacs-operators" -fi - -ocm post "/api/clusters_mgmt/v1/clusters/${CLUSTER_ID}/addons" << EOF +OCM_COMMAND="patch" +OCM_ENDPOINT="/api/clusters_mgmt/v1/clusters/${CLUSTER_ID}/addons/acs-fleetshard" +OCM_PAYLOAD=$(cat << EOF { - "addon": { - "id":"acs-fleetshard" - }, "parameters": { "items": [ { "id": "acscsEnvironment", "value": "${ENVIRONMENT}" }, - { "id": "auditLogsLogGroupName", "value": "${AUDIT_LOGS_LOG_GROUP_NAME}" }, + { "id": "auditLogsLogGroupName", "value": "${AUDIT_LOGS_LOG_GROUP_NAME:-}" }, { "id": "auditLogsRoleArn", "value": "${AUDIT_LOGS_ROLE_ARN:-}" }, { "id": "cloudwatchAwsAccessKeyId", "value": "${CLOUDWATCH_EXPORTER_AWS_ACCESS_KEY_ID:-}" }, { "id": "cloudwatchAwsSecretAccessKey", "value": "${CLOUDWATCH_EXPORTER_AWS_SECRET_ACCESS_KEY:-}" }, @@ -210,3 +169,21 @@ ocm post "/api/clusters_mgmt/v1/clusters/${CLUSTER_ID}/addons" << EOF } } EOF +) + +if ! GET_ADDON_BODY=$(ocm get "/api/clusters_mgmt/v1/clusters/$CLUSTER_ID/addons/acs-fleetshard" 2>&1); then + result=$(jq -r '.kind + ":" + .id' <<< "$GET_ADDON_BODY") + if [[ "$result" != "Error:404" ]]; then + echo 1>&2 "Unknown OCM error: $result" + exit 1 + fi + OCM_COMMAND="post" + OCM_ENDPOINT="/api/clusters_mgmt/v1/clusters/${CLUSTER_ID}/addons" + OCM_PAYLOAD=$(jq '. + {addon: { id: "acs-fleetshard" }}' <<< "$OCM_PAYLOAD") +fi + +echo "Running 'ocm $OCM_COMMAND' to install the addon" + +OCM_RESPONSE=$(ocm "$OCM_COMMAND" "$OCM_ENDPOINT" <<< "$OCM_PAYLOAD") + +jq "{ kind, id, addon, addon_version, state, operator_version, csv_name, creation_timestamp, updated_timestamp }" <<< "$OCM_RESPONSE" From 92da9c3bb998739fa323510c3b397cbfb5875b02 Mon Sep 17 00:00:00 2001 From: Yury Kovalev Date: Tue, 10 Oct 2023 16:50:24 +0200 Subject: [PATCH 6/6] Add comments --- dp-terraform/ocm/install_addon.sh | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/dp-terraform/ocm/install_addon.sh b/dp-terraform/ocm/install_addon.sh index d6d0f3b554..d40fe84122 100755 --- a/dp-terraform/ocm/install_addon.sh +++ b/dp-terraform/ocm/install_addon.sh @@ -9,7 +9,7 @@ source "$SCRIPT_DIR/../../scripts/lib/external_config.sh" if [[ $# -ne 2 ]]; then echo "Usage: $0 [environment] [cluster]" >&2 - echo "Known environments: integration stage prod" + echo "Known environments: dev integration stage prod" echo "Cluster typically looks like: acs-{env}-dp-01" exit 2 fi @@ -171,12 +171,16 @@ OCM_PAYLOAD=$(cat << EOF EOF ) +# Check whether the addon is installed on a cluster +# If installed, using the idempotent patch command to update the parameters of the existing installation. +# Otherwise, use post endpoint to install. if ! GET_ADDON_BODY=$(ocm get "/api/clusters_mgmt/v1/clusters/$CLUSTER_ID/addons/acs-fleetshard" 2>&1); then result=$(jq -r '.kind + ":" + .id' <<< "$GET_ADDON_BODY") if [[ "$result" != "Error:404" ]]; then echo 1>&2 "Unknown OCM error: $result" exit 1 fi + # Install the addon for the first time OCM_COMMAND="post" OCM_ENDPOINT="/api/clusters_mgmt/v1/clusters/${CLUSTER_ID}/addons" OCM_PAYLOAD=$(jq '. + {addon: { id: "acs-fleetshard" }}' <<< "$OCM_PAYLOAD") @@ -186,4 +190,5 @@ echo "Running 'ocm $OCM_COMMAND' to install the addon" OCM_RESPONSE=$(ocm "$OCM_COMMAND" "$OCM_ENDPOINT" <<< "$OCM_PAYLOAD") +# Filtering sensitive fields jq "{ kind, id, addon, addon_version, state, operator_version, csv_name, creation_timestamp, updated_timestamp }" <<< "$OCM_RESPONSE"