search

IBM / cloudpak-gitops

Deployment of IBM Cloud Paks using ArgoCD / Red Hat GitOps operator.
Apache License 2.0
22 stars 23 forks source link

RHACM policies do not push IBM entitlement key to labeled clusters #258

Closed nastacio closed 12 months ago

nastacio commented 1 year ago

Describe the bug The RHACM policies for Cloud Paks deploy OpenShift GitOps and Cloud Paks to clusters, but not the IBM entitlement key.

To Reproduce N/A

Expected behavior The policies should copy the IBM entitlement key from the RHACM cluster to the labeled clusters before adding the Application resources for the respective Cloud Paks to the clusters.

Screenshots If applicable, add screenshots to help explain your problem.

Additional context Add any other context about the problem here.

nastacio commented 1 year ago

Looking into RHACM docs, there is a way to copy data from the hub cluster to the managed clusters: https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.8/html/governance/governance#template-comparison-table).

Note the {{hub ... hub}} notation.

In that sense, a Policy like this copies a Secret from the hub to a managed cluster (I just tested it) :

apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
  name: entkey-test
  namespace: openshift-gitops
  annotations:
    policy.open-cluster-management.io/categories: CM Configuration Management
    policy.open-cluster-management.io/controls: CM-2 Baseline Configuration
    policy.open-cluster-management.io/standards: NIST SP 800-53
spec:
  disabled: false
  policy-templates:
    - objectDefinition:
        apiVersion: policy.open-cluster-management.io/v1
        kind: ConfigurationPolicy
        metadata:
          name: policy-entkey
        spec:
          namespaceSelector:
            exclude:
              - kube-*
            include:
              - default
          object-templates:
            - complianceType: musthave
              objectDefinition:
                apiVersion: v1
                data:
                  .dockerconfigjson: '{{hub index (lookup "v1" "Secret" "openshift-gitops"
                    "ibm-entitlement-key").data ".dockerconfigjson" hub}}'
                kind: Secret
                metadata:
                  name: ibm-entitled-key
                  namespace: openshift-gitops
                type: kubernetes.io/dockerconfigjson
          remediationAction: inform
          severity: low
  remediationAction: enforce
nastacio commented 1 year ago

With the previous comment, the solution to this issue would be:

  1. Update the rhacm.md page to instruct the user to create that ibm-entitlement-key in the openshift-gitops namespace. That is already a requirement in the install.md page for other clusters, so we can just copy that entire block.
  2. Add this policy to the rhacm-seeds project, bound using a file similar to placement-cp-shared.yaml
nastacio commented 12 months ago

:tada: This issue has been resolved in version 0.30.4 :tada:

The release is available on GitHub release

Your semantic-release bot :package::rocket: