You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
258 lines
6.8 KiB
258 lines
6.8 KiB
apiVersion: project.openshift.io/v1
|
|
kind: Project
|
|
metadata:
|
|
annotations:
|
|
argocd.argoproj.io/sync-wave: "0"
|
|
openshift.io/description: ""
|
|
openshift.io/display-name: ""
|
|
labels:
|
|
kubernetes.io/metadata.name: rhacs-operator
|
|
name: rhacs-operator
|
|
spec:
|
|
finalizers:
|
|
- kubernetes
|
|
---
|
|
apiVersion: operators.coreos.com/v1
|
|
kind: OperatorGroup
|
|
metadata:
|
|
annotations:
|
|
argocd.argoproj.io/sync-wave: "5"
|
|
name: rhacs-operator
|
|
namespace: rhacs-operator
|
|
spec:
|
|
upgradeStrategy: Default
|
|
---
|
|
apiVersion: operators.coreos.com/v1alpha1
|
|
kind: Subscription
|
|
metadata:
|
|
annotations:
|
|
argocd.argoproj.io/sync-wave: "10"
|
|
name: rhacs-operator
|
|
namespace: rhacs-operator
|
|
spec:
|
|
channel: rhacs-4.0
|
|
installPlanApproval: Automatic
|
|
name: rhacs-operator
|
|
source: redhat-operators
|
|
sourceNamespace: openshift-marketplace
|
|
startingCSV: rhacs-operator.v4.0.1
|
|
---
|
|
apiVersion: project.openshift.io/v1
|
|
kind: Project
|
|
metadata:
|
|
annotations:
|
|
argocd.argoproj.io/sync-wave: "15"
|
|
openshift.io/description: ""
|
|
openshift.io/display-name: ""
|
|
labels:
|
|
kubernetes.io/metadata.name: stackrox
|
|
name: stackrox
|
|
spec:
|
|
finalizers:
|
|
- kubernetes
|
|
---
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
annotations:
|
|
argocd.argoproj.io/sync-wave: "15"
|
|
name: central-admin
|
|
namespace: stackrox
|
|
type: Opaque
|
|
data:
|
|
password: {{ include "acs-admin-password" . | b64enc | quote }}
|
|
---
|
|
apiVersion: platform.stackrox.io/v1alpha1
|
|
kind: Central
|
|
metadata:
|
|
annotations:
|
|
argocd.argoproj.io/sync-wave: "15"
|
|
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
|
|
name: stackrox-central-services
|
|
namespace: stackrox
|
|
spec:
|
|
central:
|
|
exposure:
|
|
loadBalancer:
|
|
enabled: false
|
|
port: 443
|
|
nodePort:
|
|
enabled: false
|
|
route:
|
|
enabled: true
|
|
adminPasswordSecret:
|
|
name: central-admin
|
|
db:
|
|
isEnabled: Default
|
|
persistence:
|
|
persistentVolumeClaim:
|
|
claimName: central-db
|
|
persistence:
|
|
persistentVolumeClaim:
|
|
claimName: stackrox-db
|
|
egress:
|
|
connectivityPolicy: Online
|
|
scanner:
|
|
analyzer:
|
|
scaling:
|
|
autoScaling: Enabled
|
|
maxReplicas: 5
|
|
minReplicas: 2
|
|
replicas: 3
|
|
scannerComponent: Enabled
|
|
---
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
annotations:
|
|
argocd.argoproj.io/sync-wave: "20"
|
|
name: stackrox-hook
|
|
namespace: stackrox
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
annotations:
|
|
argocd.argoproj.io/sync-wave: "20"
|
|
name: stackrox-hook
|
|
namespace: stackrox
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: edit
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: stackrox-hook
|
|
namespace: stackrox
|
|
---
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
annotations:
|
|
argocd.argoproj.io/sync-wave: "20"
|
|
name: stackrox-hook
|
|
namespace: stackrox
|
|
data:
|
|
configure-acs.sh: |
|
|
#!/bin/bash
|
|
|
|
set -Eeuo pipefail
|
|
|
|
mkdir -p /tmp/bin
|
|
curl -sfLo /tmp/bin/roxctl https://mirror.openshift.com/pub/rhacs/assets/4.0.0/bin/Linux/roxctl
|
|
chmod 755 /tmp/bin/roxctl
|
|
curl -sLo /tmp/bin/jq https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64
|
|
chmod 755 /tmp/bin/jq
|
|
export PATH="/tmp/bin:$PATH"
|
|
|
|
echo "========================================================================"
|
|
echo " Connecting to Red Hat ACS"
|
|
echo "========================================================================"
|
|
echo
|
|
|
|
export ROX_CENTRAL_ADDRESS="$(oc get route central -n stackrox -o go-template='{{.spec.host}}'):443"
|
|
export ROX_CENTRAL_HOSTNAME="$ROX_CENTRAL_ADDRESS"
|
|
while ! curl -sfko /dev/null "https://$ROX_CENTRAL_ADDRESS/"; do
|
|
echo "Red Hat ACS not ready..."
|
|
sleep 5
|
|
done
|
|
|
|
echo "========================================================================"
|
|
echo " Retrieving an API Token for Red Hat ACS"
|
|
echo "========================================================================"
|
|
echo
|
|
if ! oc get secret stackrox-api-token -n stackrox &>/dev/null; then
|
|
POLICY_JSON='{ "name": "init-token", "role":"Admin"}'
|
|
APIURL="https://$ROX_CENTRAL_ADDRESS/v1/apitokens/generate"
|
|
export ROX_API_TOKEN=$(curl -s -k -u admin:$ROX_ADMIN_PASSWORD -H 'Content-Type: application/json' -X POST -d "$POLICY_JSON" "$APIURL" | jq -r '.token')
|
|
oc create secret generic stackrox-api-token -n stackrox --from-literal=token="$ROX_API_TOKEN"
|
|
else
|
|
export ROX_API_TOKEN="$(oc get secret stackrox-api-token -n stackrox -o go-template --template='{{ "{{" }}.data.token|base64decode}}')"
|
|
fi
|
|
|
|
echo "========================================================================"
|
|
echo " Generating the Cluster Init Bundle"
|
|
echo "========================================================================"
|
|
echo
|
|
|
|
if ! oc get secret admission-control-tls -n stackrox &>/dev/null; then
|
|
roxctl -e "$ROX_CENTRAL_ADDRESS" central init-bundles generate local-cluster --output-secrets /tmp/cluster_init_bundle.yaml
|
|
oc apply -f /tmp/cluster_init_bundle.yaml -n stackrox
|
|
fi
|
|
|
|
exit 0
|
|
---
|
|
apiVersion: batch/v1
|
|
kind: Job
|
|
metadata:
|
|
annotations:
|
|
argocd.argoproj.io/sync-wave: "20"
|
|
name: stackrox-init-hook
|
|
namespace: stackrox
|
|
spec:
|
|
backoffLimit: 30
|
|
template:
|
|
spec:
|
|
containers:
|
|
- name: hook
|
|
command:
|
|
- /entrypoint/configure-acs.sh
|
|
args: []
|
|
image: registry.redhat.io/openshift4/ose-cli:v4.13
|
|
imagePullPolicy: IfNotPresent
|
|
env:
|
|
- name: ROX_ADMIN_PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: central-admin
|
|
key: password
|
|
- name: USER
|
|
value: openshift
|
|
- name: HOME
|
|
value: /tmp
|
|
volumeMounts:
|
|
- mountPath: /entrypoint
|
|
name: stackrox-hook
|
|
readOnly: true
|
|
serviceAccountName: stackrox-hook
|
|
serviceAccount: stackrox-hook
|
|
restartPolicy: OnFailure
|
|
terminationGracePeriodSeconds: 30
|
|
volumes:
|
|
- name: stackrox-hook
|
|
configMap:
|
|
name: stackrox-hook
|
|
defaultMode: 0755
|
|
---
|
|
apiVersion: platform.stackrox.io/v1alpha1
|
|
kind: SecuredCluster
|
|
metadata:
|
|
annotations:
|
|
argocd.argoproj.io/sync-wave: "30"
|
|
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
|
|
name: stackrox-secured-cluster-services
|
|
namespace: stackrox
|
|
spec:
|
|
auditLogs:
|
|
collection: Auto
|
|
admissionControl:
|
|
listenOnUpdates: true
|
|
bypass: BreakGlassAnnotation
|
|
contactImageScanners: ScanIfMissing
|
|
listenOnCreates: true
|
|
timeoutSeconds: 20
|
|
listenOnEvents: true
|
|
scanner:
|
|
analyzer:
|
|
scaling:
|
|
autoScaling: Enabled
|
|
maxReplicas: 5
|
|
minReplicas: 2
|
|
replicas: 3
|
|
scannerComponent: AutoSense
|
|
perNode:
|
|
collector:
|
|
collection: EBPF
|
|
imageFlavor: Regular
|
|
taintToleration: TolerateTaints
|
|
clusterName: local-cluster
|
|
|