From e3a70060e1f5e01ebeebe89a6f62307fde33bd60 Mon Sep 17 00:00:00 2001 From: Cory Latschkowski Date: Sat, 26 Aug 2023 15:51:01 -0500 Subject: [PATCH] cleanup: old path --- components/operators/cert-manager/README.md | 15 ---- .../acs-central-certificate/README.md | 5 -- .../acs-central-certificate.yaml | 13 ---- .../kustomization.yaml | 5 -- .../letsencrypt-route53-issuer/README.md | 18 ----- .../kustomization.yaml | 9 --- .../letsencrypt-prod-cluster-issuer.yaml | 22 ------ .../letsencrypt-staging-cluster-issuer.yaml | 22 ------ .../openshift-api-certificate/README.md | 3 - .../kustomization.yaml | 8 --- .../openshift-api-certificate.yaml | 12 ---- .../patch-cluster-api-cert-job.yaml | 71 ------------------- .../openshift-wildcard-certificate/README.md | 3 - .../kustomization.yaml | 8 --- .../openshift-wildcard-certificate.yaml | 13 ---- .../patch-cluster-wildcard-cert-job.yaml | 67 ----------------- .../operator/base/kustomization.yaml | 9 --- .../operator/base/operator-group.yaml | 5 -- .../operator/base/operator-namespace.yaml | 8 --- .../operator/base/subscription.yaml | 11 --- .../operator/overlays/tech-preview/README.md | 1 - .../overlays/tech-preview/kustomization.yaml | 16 ----- .../overlays/tech-preview/patch-channel.yaml | 3 - 23 files changed, 347 deletions(-) delete mode 100644 components/operators/cert-manager/README.md delete mode 100644 components/operators/cert-manager/examples/acs-central-certificate/README.md delete mode 100644 components/operators/cert-manager/examples/acs-central-certificate/acs-central-certificate.yaml delete mode 100644 components/operators/cert-manager/examples/acs-central-certificate/kustomization.yaml delete mode 100644 components/operators/cert-manager/examples/letsencrypt-route53-issuer/README.md delete mode 100644 components/operators/cert-manager/examples/letsencrypt-route53-issuer/kustomization.yaml delete mode 100644 components/operators/cert-manager/examples/letsencrypt-route53-issuer/letsencrypt-prod-cluster-issuer.yaml delete mode 100644 components/operators/cert-manager/examples/letsencrypt-route53-issuer/letsencrypt-staging-cluster-issuer.yaml delete mode 100644 components/operators/cert-manager/examples/openshift-api-certificate/README.md delete mode 100644 components/operators/cert-manager/examples/openshift-api-certificate/kustomization.yaml delete mode 100644 components/operators/cert-manager/examples/openshift-api-certificate/openshift-api-certificate.yaml delete mode 100644 components/operators/cert-manager/examples/openshift-api-certificate/patch-cluster-api-cert-job.yaml delete mode 100644 components/operators/cert-manager/examples/openshift-wildcard-certificate/README.md delete mode 100644 components/operators/cert-manager/examples/openshift-wildcard-certificate/kustomization.yaml delete mode 100644 components/operators/cert-manager/examples/openshift-wildcard-certificate/openshift-wildcard-certificate.yaml delete mode 100644 components/operators/cert-manager/examples/openshift-wildcard-certificate/patch-cluster-wildcard-cert-job.yaml delete mode 100644 components/operators/cert-manager/operator/base/kustomization.yaml delete mode 100644 components/operators/cert-manager/operator/base/operator-group.yaml delete mode 100644 components/operators/cert-manager/operator/base/operator-namespace.yaml delete mode 100644 components/operators/cert-manager/operator/base/subscription.yaml delete mode 100644 components/operators/cert-manager/operator/overlays/tech-preview/README.md delete mode 100644 components/operators/cert-manager/operator/overlays/tech-preview/kustomization.yaml delete mode 100644 components/operators/cert-manager/operator/overlays/tech-preview/patch-channel.yaml diff --git a/components/operators/cert-manager/README.md b/components/operators/cert-manager/README.md deleted file mode 100644 index 8b118d2d..00000000 --- a/components/operators/cert-manager/README.md +++ /dev/null @@ -1,15 +0,0 @@ -### Introduction - -This deploys the cert-manager operator which is currently Tech Preview in 4.10. If you are not familiar with cert-manager, it provisions and manages TLS certificates for you automatically using one or more configured Issuers. It's great for providing a self-service capability around TLS certificates out of the OpenShift platform. - -Documentation on OpenShift cert-manager is available [here](https://docs.openshift.com/container-platform/4.10/security/cert_manager_operator/index.html). - -Community documentation for cert-manager is located [here](https://cert-manager.io/docs/). - -### Examples - -The examples folder contains some examples of how to use cert-manager including how to use it to provision OpenShift API and Wildcard certificates. There is a README associated with each example when you navigate to each folder. - -### TODO - -At some point I would like to make the examples directly deployable via a Helm chart. The examples are a case which would benefit from Helm templating versus patching in kustomize since many of the values can be derived from two parameters: cluster name and domain. \ No newline at end of file diff --git a/components/operators/cert-manager/examples/acs-central-certificate/README.md b/components/operators/cert-manager/examples/acs-central-certificate/README.md deleted file mode 100644 index 4e8e78f8..00000000 --- a/components/operators/cert-manager/examples/acs-central-certificate/README.md +++ /dev/null @@ -1,5 +0,0 @@ -This is an example of using cert-manager to generate a TLS certificate for the Red Hat Advanced Cluster Security Central endpoint (i.e. `central-stackrox...com`). - -To use this, update the certificate object to reflect your desired issuer and host name for the API endpoint. In the example we are using the letsencrypt-prod issuer in the examples folder. - -Note the certificate will overwrite the existing default certificate so you may wish to back that up first before using this. \ No newline at end of file diff --git a/components/operators/cert-manager/examples/acs-central-certificate/acs-central-certificate.yaml b/components/operators/cert-manager/examples/acs-central-certificate/acs-central-certificate.yaml deleted file mode 100644 index b0aedb94..00000000 --- a/components/operators/cert-manager/examples/acs-central-certificate/acs-central-certificate.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: central-acs-certificate - namespace: stackrox -spec: - # Replace default secret since ACS doesn't support referencing a different secret - secretName: central-default-tls-cert - issuerRef: - name: letsencrypt-prod - kind: ClusterIssuer - dnsNames: - - central-stackrox.apps.cluster.example.com diff --git a/components/operators/cert-manager/examples/acs-central-certificate/kustomization.yaml b/components/operators/cert-manager/examples/acs-central-certificate/kustomization.yaml deleted file mode 100644 index 265d6461..00000000 --- a/components/operators/cert-manager/examples/acs-central-certificate/kustomization.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -resources: - - acs-central-certificate.yaml diff --git a/components/operators/cert-manager/examples/letsencrypt-route53-issuer/README.md b/components/operators/cert-manager/examples/letsencrypt-route53-issuer/README.md deleted file mode 100644 index 6d482d72..00000000 --- a/components/operators/cert-manager/examples/letsencrypt-route53-issuer/README.md +++ /dev/null @@ -1,18 +0,0 @@ -This is an example issuer that uses letsencrypt (i.e. ACME) with a DNS challenge in AWS Route53. This example is useful when using AWS Route 53 as your DNS authority for OpenShift whether on-prem (like in my homelab) or in AWS itself. Documentation on Route 53 and cert-manager can be found here: - -https://cert-manager.io/docs/configuration/acme/dns01/route53/#creating-an-issuer-or-clusterissuer - -In order to this you need to update the staging and production letsencrypt issuers with the following information: - -* The email that you use with letsencrypt -* The DNS Zone selector that is being managed by Route 53 that this issuer should be tied to (set to example.com here) -* The region that is being used -- The Access ID for the user in AWS that has permissions to work with Route 53, see the linked docs for IAM permissions required. This should absolutely not be the root AWS user - -You will also need to create a secret to hold the AWS secret key corresponding to the access ID provided: - -``` -oc create secret generic letsencrypt-aws --from-literal=secret-access-key=XXXXXXXX -``` - -Obviously from a GitOps perspective this secret needs to be stored securely using something like Sealed Secrets or Vault. \ No newline at end of file diff --git a/components/operators/cert-manager/examples/letsencrypt-route53-issuer/kustomization.yaml b/components/operators/cert-manager/examples/letsencrypt-route53-issuer/kustomization.yaml deleted file mode 100644 index d5a0f4a8..00000000 --- a/components/operators/cert-manager/examples/letsencrypt-route53-issuer/kustomization.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -commonAnnotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - -resources: - - letsencrypt-prod-cluster-issuer.yaml - - letsencrypt-staging-cluster-issuer.yaml diff --git a/components/operators/cert-manager/examples/letsencrypt-route53-issuer/letsencrypt-prod-cluster-issuer.yaml b/components/operators/cert-manager/examples/letsencrypt-route53-issuer/letsencrypt-prod-cluster-issuer.yaml deleted file mode 100644 index aa457f79..00000000 --- a/components/operators/cert-manager/examples/letsencrypt-route53-issuer/letsencrypt-prod-cluster-issuer.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: ClusterIssuer -metadata: - name: letsencrypt-prod -spec: - acme: - server: https://acme-v02.api.letsencrypt.org/directory - email: someone@example.com - # This key doesn't exist, cert-manager creates it - privateKeySecretRef: - name: example-issuer-account-key - solvers: - - selector: - dnsZones: - - "example.com" - dns01: - route53: - region: ca-central-1 - accessKeyID: XXXXXXXXXX - secretAccessKeySecretRef: - name: letsencrypt-aws - key: secret-access-key diff --git a/components/operators/cert-manager/examples/letsencrypt-route53-issuer/letsencrypt-staging-cluster-issuer.yaml b/components/operators/cert-manager/examples/letsencrypt-route53-issuer/letsencrypt-staging-cluster-issuer.yaml deleted file mode 100644 index a015c4ed..00000000 --- a/components/operators/cert-manager/examples/letsencrypt-route53-issuer/letsencrypt-staging-cluster-issuer.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: ClusterIssuer -metadata: - name: letsencrypt-staging -spec: - acme: - server: https://acme-staging-v02.api.letsencrypt.org/directory - email: someone@example.com - # This key doesn't exist, cert-manager creates it - privateKeySecretRef: - name: example-issuer-account-key - solvers: - - selector: - dnsZones: - - "example.com" - dns01: - route53: - region: ca-central-1 - accessKeyID: XXXXXXXX - secretAccessKeySecretRef: - name: letsencrypt-aws - key: secret-access-key diff --git a/components/operators/cert-manager/examples/openshift-api-certificate/README.md b/components/operators/cert-manager/examples/openshift-api-certificate/README.md deleted file mode 100644 index 2d8286a0..00000000 --- a/components/operators/cert-manager/examples/openshift-api-certificate/README.md +++ /dev/null @@ -1,3 +0,0 @@ -This is an example of using cert-manager to generate a TLS certificate for the OpenShift API endpoint (i.e. `api...com`) and patching it using an Argo CD post-sync hook. - -To use this, update the certificate object to reflect your desired issuer and host name for the API endpoint. In the example we are using the letsencrypt-prod issuer in the examples folder. \ No newline at end of file diff --git a/components/operators/cert-manager/examples/openshift-api-certificate/kustomization.yaml b/components/operators/cert-manager/examples/openshift-api-certificate/kustomization.yaml deleted file mode 100644 index 0ad06190..00000000 --- a/components/operators/cert-manager/examples/openshift-api-certificate/kustomization.yaml +++ /dev/null @@ -1,8 +0,0 @@ -kind: Kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 - -namespace: openshift-config - -resources: - - openshift-api-certificate.yaml - - patch-cluster-api-cert-job.yaml diff --git a/components/operators/cert-manager/examples/openshift-api-certificate/openshift-api-certificate.yaml b/components/operators/cert-manager/examples/openshift-api-certificate/openshift-api-certificate.yaml deleted file mode 100644 index b6d0b93d..00000000 --- a/components/operators/cert-manager/examples/openshift-api-certificate/openshift-api-certificate.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: openshift-api - namespace: openshift-config -spec: - secretName: openshift-api-certificate - issuerRef: - name: letsencrypt-prod - kind: ClusterIssuer - dnsNames: - - api.cluster.example.com diff --git a/components/operators/cert-manager/examples/openshift-api-certificate/patch-cluster-api-cert-job.yaml b/components/operators/cert-manager/examples/openshift-api-certificate/patch-cluster-api-cert-job.yaml deleted file mode 100644 index 9d38a7a4..00000000 --- a/components/operators/cert-manager/examples/openshift-api-certificate/patch-cluster-api-cert-job.yaml +++ /dev/null @@ -1,71 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: patch-cluster-api-cert -rules: - - apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - apiGroups: - - config.openshift.io - resources: - - apiservers - verbs: - - get - - list - - patch - - update ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: patch-cluster-api-cert -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: patch-cluster-api-cert -subjects: - - kind: ServiceAccount - name: patch-cluster-api-cert ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: patch-cluster-api-cert ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: patch-cluster-api-cert - annotations: - argocd.argoproj.io/hook: PostSync - argocd.argoproj.io/hook-delete-policy: HookSucceeded -spec: - template: - spec: - containers: - - image: image-registry.openshift-image-registry.svc:5000/openshift/cli:latest - env: - - name: API_HOST_NAME - value: api.home.ocplab.com - command: - - /bin/bash - - -c - - | - #!/usr/bin/env bash - if oc get secret openshift-api-certificate -n openshift-config; then - oc patch apiserver cluster --type=merge -p '{"spec":{"servingCerts": {"namedCertificates": [{"names": ["'$API_HOST_NAME'"], "servingCertificate": {"name": "openshift-api-certificate"}}]}}}' - else - echo "Could not execute sync as secret 'openshift-api-certificate' in namespace 'openshift-config' does not exist, check status of CertificationRequest" - exit 1 - fi - name: patch-cluster-api-cert - dnsPolicy: ClusterFirst - restartPolicy: Never - terminationGracePeriodSeconds: 30 - serviceAccount: patch-cluster-api-cert - serviceAccountName: patch-cluster-api-cert diff --git a/components/operators/cert-manager/examples/openshift-wildcard-certificate/README.md b/components/operators/cert-manager/examples/openshift-wildcard-certificate/README.md deleted file mode 100644 index d1e7f359..00000000 --- a/components/operators/cert-manager/examples/openshift-wildcard-certificate/README.md +++ /dev/null @@ -1,3 +0,0 @@ -This is an example of using cert-manager to generate a TLS certificate for the OpenShift wildcard ingress endpoint (i.e. `*.apps...com`) and patching it using an Argo CD post-sync hook. - -To use this, update the certificate object to reflect your desired issuer, cluster name and host name for the wildcard ingress endpoint. In the example we are using the letsencrypt-prod issuer in the examples folder. \ No newline at end of file diff --git a/components/operators/cert-manager/examples/openshift-wildcard-certificate/kustomization.yaml b/components/operators/cert-manager/examples/openshift-wildcard-certificate/kustomization.yaml deleted file mode 100644 index 2dd00477..00000000 --- a/components/operators/cert-manager/examples/openshift-wildcard-certificate/kustomization.yaml +++ /dev/null @@ -1,8 +0,0 @@ -kind: Kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 - -namespace: openshift-ingress - -resources: - - openshift-wildcard-certificate.yaml - - patch-cluster-wildcard-cert-job.yaml diff --git a/components/operators/cert-manager/examples/openshift-wildcard-certificate/openshift-wildcard-certificate.yaml b/components/operators/cert-manager/examples/openshift-wildcard-certificate/openshift-wildcard-certificate.yaml deleted file mode 100644 index 4a485ca5..00000000 --- a/components/operators/cert-manager/examples/openshift-wildcard-certificate/openshift-wildcard-certificate.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: openshift-wildcard - namespace: openshift-ingress -spec: - secretName: openshift-wildcard-certificate - issuerRef: - name: letsencrypt-prod - kind: ClusterIssuer - commonName: '*.apps.cluster.example.com' - dnsNames: - - '*.apps.cluster.example.com' diff --git a/components/operators/cert-manager/examples/openshift-wildcard-certificate/patch-cluster-wildcard-cert-job.yaml b/components/operators/cert-manager/examples/openshift-wildcard-certificate/patch-cluster-wildcard-cert-job.yaml deleted file mode 100644 index c4d804ab..00000000 --- a/components/operators/cert-manager/examples/openshift-wildcard-certificate/patch-cluster-wildcard-cert-job.yaml +++ /dev/null @@ -1,67 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: patch-cluster-wildcard-cert -rules: - - apiGroups: - - operator.openshift.io - resources: - - ingresscontrollers - verbs: - - get - - list - - patch - - apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: patch-cluster-wildcard-cert -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: patch-cluster-wildcard-cert -subjects: - - kind: ServiceAccount - name: patch-cluster-wildcard-cert ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: patch-cluster-wildcard-cert ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: patch-cluster-wildcard-cert - annotations: - argocd.argoproj.io/hook: PostSync - argocd.argoproj.io/hook-delete-policy: HookSucceeded -spec: - template: - spec: - containers: - - image: image-registry.openshift-image-registry.svc:5000/openshift/cli:latest - command: - - /bin/bash - - -c - - | - #!/usr/bin/env bash - if oc get secret openshift-wildcard-certificate -n openshift-ingress; then - oc patch ingresscontroller default -n openshift-ingress-operator --type=merge --patch='{"spec": { "defaultCertificate": { "name": "openshift-wildcard-certificate" }}}' - else - echo "Could not execute sync as secret 'openshift-wildcard-certificate' in namespace 'openshift-ingress' does not exist, check status of CertificationRequest" - exit 1 - fi - name: patch-cluster-wildcard-cert - dnsPolicy: ClusterFirst - restartPolicy: Never - terminationGracePeriodSeconds: 30 - serviceAccount: patch-cluster-wildcard-cert - serviceAccountName: patch-cluster-wildcard-cert diff --git a/components/operators/cert-manager/operator/base/kustomization.yaml b/components/operators/cert-manager/operator/base/kustomization.yaml deleted file mode 100644 index f020476b..00000000 --- a/components/operators/cert-manager/operator/base/kustomization.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -namespace: openshift-cert-manager-operator - -resources: - - operator-namespace.yaml - - operator-group.yaml - - subscription.yaml diff --git a/components/operators/cert-manager/operator/base/operator-group.yaml b/components/operators/cert-manager/operator/base/operator-group.yaml deleted file mode 100644 index a2882a4e..00000000 --- a/components/operators/cert-manager/operator/base/operator-group.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: operators.coreos.com/v1 -kind: OperatorGroup -metadata: - name: openshift-cert-manager-operator -spec: {} diff --git a/components/operators/cert-manager/operator/base/operator-namespace.yaml b/components/operators/cert-manager/operator/base/operator-namespace.yaml deleted file mode 100644 index f59360fa..00000000 --- a/components/operators/cert-manager/operator/base/operator-namespace.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - annotations: - openshift.io/display-name: Red Hat Certificate Manager Operator - labels: - openshift.io/cluster-monitoring: 'true' - name: openshift-cert-manager-operator diff --git a/components/operators/cert-manager/operator/base/subscription.yaml b/components/operators/cert-manager/operator/base/subscription.yaml deleted file mode 100644 index 921ff168..00000000 --- a/components/operators/cert-manager/operator/base/subscription.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: openshift-cert-manager-operator - namespace: openshift-cert-manager-operator -spec: - channel: patch-me-see-overlays-dir - installPlanApproval: Automatic - name: openshift-cert-manager-operator - source: redhat-operators - sourceNamespace: openshift-marketplace diff --git a/components/operators/cert-manager/operator/overlays/tech-preview/README.md b/components/operators/cert-manager/operator/overlays/tech-preview/README.md deleted file mode 100644 index f568bbf1..00000000 --- a/components/operators/cert-manager/operator/overlays/tech-preview/README.md +++ /dev/null @@ -1 +0,0 @@ -Installs the *preview* channel version of the OpenShift GitOps Operator diff --git a/components/operators/cert-manager/operator/overlays/tech-preview/kustomization.yaml b/components/operators/cert-manager/operator/overlays/tech-preview/kustomization.yaml deleted file mode 100644 index 90e4ef41..00000000 --- a/components/operators/cert-manager/operator/overlays/tech-preview/kustomization.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -namespace: openshift-cert-manager-operator - -resources: - - ../../base - -patches: - - target: - group: operators.coreos.com - version: v1alpha1 - kind: Subscription - name: openshift-cert-manager-operator - namespace: openshift-cert-manager-operator - path: patch-channel.yaml diff --git a/components/operators/cert-manager/operator/overlays/tech-preview/patch-channel.yaml b/components/operators/cert-manager/operator/overlays/tech-preview/patch-channel.yaml deleted file mode 100644 index 876e3230..00000000 --- a/components/operators/cert-manager/operator/overlays/tech-preview/patch-channel.yaml +++ /dev/null @@ -1,3 +0,0 @@ -- op: replace - path: /spec/channel - value: tech-preview