@@ -42,6 +42,22 @@ subjects:
4242 apiGroup : policy.open-cluster-management.io
4343---
4444# Source: acm/templates/policies/ocp-gitops-policy.yaml
45+ apiVersion : policy.open-cluster-management.io/v1
46+ kind : PlacementBinding
47+ metadata :
48+ name : openshift-gitops-placement-binding-argocd
49+ annotations :
50+ argocd.argoproj.io/sync-options : SkipDryRunOnMissingResource=true
51+ placementRef :
52+ name : openshift-gitops-placement-argocd
53+ kind : PlacementRule
54+ apiGroup : apps.open-cluster-management.io
55+ subjects :
56+ - name : openshift-gitops-policy-argocd
57+ kind : Policy
58+ apiGroup : policy.open-cluster-management.io
59+ ---
60+ # Source: acm/templates/policies/ocp-gitops-policy.yaml
4561apiVersion : apps.open-cluster-management.io/v1
4662kind : PlacementRule
4763metadata :
6480 - ' true'
6581---
6682# Source: acm/templates/policies/ocp-gitops-policy.yaml
83+ apiVersion : apps.open-cluster-management.io/v1
84+ kind : PlacementRule
85+ metadata :
86+ name : openshift-gitops-placement-argocd
87+ annotations :
88+ argocd.argoproj.io/sync-options : SkipDryRunOnMissingResource=true
89+ spec :
90+ clusterConditions :
91+ - status : ' True'
92+ type : ManagedClusterConditionAvailable
93+ clusterSelector :
94+ matchExpressions :
95+ - key : vendor
96+ operator : In
97+ values :
98+ - OpenShift
99+ - key : local-cluster
100+ operator : NotIn
101+ values :
102+ - ' true'
103+ ---
104+ # Source: acm/templates/policies/ocp-gitops-policy.yaml
67105apiVersion : policy.open-cluster-management.io/v1
68106kind : Policy
69107metadata :
@@ -90,15 +128,6 @@ spec:
90128 include :
91129 - default
92130 object-templates :
93- - complianceType : mustonlyhave
94- objectDefinition :
95- kind : ConfigMap
96- apiVersion : v1
97- metadata :
98- name : trusted-ca-bundle
99- namespace : openshift-gitops
100- labels :
101- config.openshift.io/inject-trusted-cabundle : ' true'
102131 - complianceType : mustonlyhave
103132 objectDefinition :
104133 # This is an auto-generated file. DO NOT EDIT
@@ -119,3 +148,216 @@ spec:
119148 env :
120149 - name : ARGOCD_CLUSTER_CONFIG_NAMESPACES
121150 value : " *"
151+ - complianceType : mustonlyhave
152+ objectDefinition :
153+ kind : ConfigMap
154+ apiVersion : v1
155+ metadata :
156+ name : trusted-ca-bundle
157+ namespace : openshift-gitops
158+ labels :
159+ config.openshift.io/inject-trusted-cabundle : ' true'
160+ ---
161+ # Source: acm/templates/policies/ocp-gitops-policy.yaml
162+ # This policy depends on openshift-gitops-policy and the reason is that we need to be
163+ # certain that the trusted-ca-bundle exists before spawning the clusterwide argocd instance
164+ # because the initcontainer references the trusted-ca-bundle and if it starts without the
165+ # configmap being there we risk running an argo instances that won't trust public CAs
166+ apiVersion : policy.open-cluster-management.io/v1
167+ kind : Policy
168+ metadata :
169+ name : openshift-gitops-policy-argocd
170+ annotations :
171+ policy.open-cluster-management.io/standards : NIST-CSF
172+ policy.open-cluster-management.io/categories : PR.DS Data Security
173+ policy.open-cluster-management.io/controls : PR.DS-1 Data-at-rest
174+ argocd.argoproj.io/sync-options : SkipDryRunOnMissingResource=true
175+ argocd.argoproj.io/compare-options : IgnoreExtraneous
176+ spec :
177+ remediationAction : enforce
178+ disabled : false
179+ dependencies :
180+ - apiVersion : policy.open-cluster-management.io/v1
181+ compliance : Compliant
182+ kind : Policy
183+ name : openshift-gitops-policy
184+ namespace : open-cluster-management
185+ - apiVersion : policy.open-cluster-management.io/v1
186+ compliance : Compliant
187+ kind : Policy
188+ name : hub-argo-ca-openshift-gitops-policy
189+ namespace : open-cluster-management
190+ policy-templates :
191+ - objectDefinition :
192+ apiVersion : policy.open-cluster-management.io/v1
193+ kind : ConfigurationPolicy
194+ metadata :
195+ name : openshift-gitops-config-argocd
196+ spec :
197+ remediationAction : enforce
198+ severity : medium
199+ namespaceSelector :
200+ include :
201+ - default
202+ object-templates :
203+ - complianceType : mustonlyhave
204+ objectDefinition :
205+ apiVersion : argoproj.io/v1beta1
206+ kind : ArgoCD
207+ metadata :
208+ name : openshift-gitops
209+ namespace : openshift-gitops
210+ spec :
211+ applicationSet :
212+ resources :
213+ limits :
214+ cpu : " 2"
215+ memory : 1Gi
216+ requests :
217+ cpu : 250m
218+ memory : 512Mi
219+ webhookServer :
220+ ingress :
221+ enabled : false
222+ route :
223+ enabled : false
224+ controller :
225+ processors : {}
226+ resources :
227+ limits :
228+ cpu : " 2"
229+ memory : 2Gi
230+ requests :
231+ cpu : 250m
232+ memory : 1Gi
233+ sharding : {}
234+ grafana :
235+ enabled : false
236+ ingress :
237+ enabled : false
238+ resources :
239+ limits :
240+ cpu : 500m
241+ memory : 256Mi
242+ requests :
243+ cpu : 250m
244+ memory : 128Mi
245+ route :
246+ enabled : false
247+ ha :
248+ enabled : false
249+ resources :
250+ limits :
251+ cpu : 500m
252+ memory : 256Mi
253+ requests :
254+ cpu : 250m
255+ memory : 128Mi
256+ initialSSHKnownHosts : {}
257+ monitoring :
258+ enabled : false
259+ notifications :
260+ enabled : false
261+ prometheus :
262+ enabled : false
263+ ingress :
264+ enabled : false
265+ route :
266+ enabled : false
267+ rbac :
268+ defaultPolicy : " "
269+ policy : |-
270+ g, system:cluster-admins, role:admin
271+ g, cluster-admins, role:admin
272+ scopes : ' [groups]'
273+ redis :
274+ resources :
275+ limits :
276+ cpu : 500m
277+ memory : 256Mi
278+ requests :
279+ cpu : 250m
280+ memory : 128Mi
281+ repo :
282+ initContainers :
283+ - command :
284+ - bash
285+ - -c
286+ - cat /var/run/kube-root-ca/ca.crt /var/run/trusted-ca/ca-bundle.crt /var/run/trusted-hub/hub-kube-root-ca.crt > /tmp/ca-bundles/ca-bundle.crt
287+ || true
288+ image : registry.redhat.io/ubi9/ubi-minimal:latest
289+ name : fetch-ca
290+ resources : {}
291+ volumeMounts :
292+ - mountPath : /var/run/kube-root-ca
293+ name : kube-root-ca
294+ - mountPath : /var/run/trusted-ca
295+ name : trusted-ca-bundle
296+ - mountPath : /var/run/trusted-hub
297+ name : trusted-hub-bundle
298+ - mountPath : /tmp/ca-bundles
299+ name : ca-bundles
300+ resources :
301+ limits :
302+ cpu : " 1"
303+ memory : 1Gi
304+ requests :
305+ cpu : 250m
306+ memory : 256Mi
307+ volumeMounts :
308+ - mountPath : /etc/pki/tls/certs
309+ name : ca-bundles
310+ volumes :
311+ - configMap :
312+ name : kube-root-ca.crt
313+ name : kube-root-ca
314+ - configMap :
315+ name : trusted-ca-bundle
316+ optional : true
317+ name : trusted-ca-bundle
318+ - configMap :
319+ name : trusted-hub-bundle
320+ optional : true
321+ name : trusted-hub-bundle
322+ - emptyDir : {}
323+ name : ca-bundles
324+ resourceExclusions : |-
325+ - apiGroups:
326+ - tekton.dev
327+ clusters:
328+ - '*'
329+ kinds:
330+ - TaskRun
331+ - PipelineRun
332+ server :
333+ autoscale :
334+ enabled : false
335+ grpc :
336+ ingress :
337+ enabled : false
338+ ingress :
339+ enabled : false
340+ resources :
341+ limits :
342+ cpu : 500m
343+ memory : 256Mi
344+ requests :
345+ cpu : 125m
346+ memory : 128Mi
347+ route :
348+ enabled : true
349+ service :
350+ type : " "
351+ sso :
352+ dex :
353+ openShiftOAuth : true
354+ resources :
355+ limits :
356+ cpu : 500m
357+ memory : 256Mi
358+ requests :
359+ cpu : 250m
360+ memory : 128Mi
361+ provider : dex
362+ tls :
363+ ca : {}
0 commit comments