diff --git a/.github/workflows/create-demo-clusters.yml b/.github/workflows/create-demo-clusters.yml index c6fcf7d4..05f5c6ed 100644 --- a/.github/workflows/create-demo-clusters.yml +++ b/.github/workflows/create-demo-clusters.yml @@ -1,5 +1,44 @@ name: Create demo clusters for version on: + # For testing this workflow from a branch of stackrox/actions (the normal + # path is workflow_call from stackrox/stackrox). To test: + # 1. Push your branch to stackrox/actions, note the HEAD commit SHA. + # 2. Create a branch in stackrox/stackrox and edit + # .github/workflows/create-clusters.yml — change these fields: + # uses: stackrox/actions/...@ + # workflow-ref: + # Also change CLUSTER_WITH_FAKE_LOAD_NAME and CLUSTER_WITH_REAL_LOAD_NAME + # to unique prefixes to avoid clashing with production clusters. + # 3. Dispatch "RELEASE: Create Clusters" from that stackrox/stackrox branch + # with create-long-cluster=true and an existing ACS version (e.g. 4.11.0). + workflow_dispatch: + inputs: + version: + description: Version of the images + required: true + type: string + create-long-cluster: + description: Create a long-running cluster + default: true + type: boolean + workflow-ref: + description: Ref for actions checkout (defaults to current branch) + type: string + kube-burner-config-ref: + description: Ref for kube-burner config (defaults to version) + type: string + kube-burner-config-repo: + description: Repo with kube-burner config + default: stackrox + type: string + cluster-with-fake-load-name: + description: Fake-load cluster name + default: test-fl + type: string + cluster-with-real-load-name: + description: Real-load cluster name + default: test-rl + type: string workflow_call: inputs: version: @@ -51,6 +90,7 @@ env: jobs: properties: + if: github.event_name != 'workflow_dispatch' runs-on: ubuntu-latest outputs: slack-channel: ${{ fromJSON(format('["{0}","{1}"]', steps.fetch.outputs.dry-slack-channel, steps.fetch.outputs.slack-channel))[inputs.dry-run != true] }} @@ -72,7 +112,7 @@ jobs: - name: Parse refs (extract SHA from git-describe format) env: INPUT_VERSION: ${{ inputs.version }} - INPUT_KUBE_BURNER_VERSION: ${{ inputs.kube-burner-config-ref }} + INPUT_KUBE_BURNER_VERSION: ${{ inputs.kube-burner-config-ref || inputs.version }} id: parse run: | set -euo pipefail @@ -103,10 +143,12 @@ jobs: wait-for-images: name: Wait for images on Quay.io runs-on: ubuntu-latest - if: >- # Skip if no clusters are going to be created. + if: >- + github.event_name != 'workflow_dispatch' && ( inputs.create-k8s-cluster != false || inputs.create-os4-cluster != false || inputs.create-long-cluster != false + ) strategy: matrix: image: [main, scanner, scanner-db, scanner-v4, scanner-v4-db, collector] @@ -116,7 +158,7 @@ jobs: with: repository: stackrox/actions path: .actions - ref: ${{ inputs.workflow-ref }} + ref: ${{ inputs.workflow-ref || github.ref_name }} - name: Wait for the ${{matrix.image}} image uses: ./.actions/release/wait-for-image with: @@ -129,7 +171,7 @@ jobs: create-k8s-cluster: name: Create k8s cluster needs: [wait-for-images] - if: inputs.dry-run != true && inputs.create-k8s-cluster != false + if: "!cancelled() && !failure() && inputs.dry-run != true && inputs.create-k8s-cluster != false" runs-on: ubuntu-latest steps: - name: Checkout local action @@ -137,7 +179,7 @@ jobs: with: repository: stackrox/actions path: .actions - ref: ${{ inputs.workflow-ref }} + ref: ${{ inputs.workflow-ref || github.ref_name }} - uses: ./.actions/infra/create-cluster with: token: ${{ secrets.INFRA_TOKEN }} @@ -159,6 +201,7 @@ jobs: echo "cluster-name=${NAME//./-}" >> "$GITHUB_OUTPUT" echo "url=https://${NAME//[.-]/}.demos.rox.systems/login" >> "$GITHUB_OUTPUT" - name: Post to Slack + if: needs.properties.outputs.slack-channel != '' env: SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} uses: slackapi/slack-github-action@v1.26.0 @@ -199,7 +242,7 @@ jobs: with: repository: stackrox/actions path: .actions - ref: ${{ inputs.workflow-ref }} + ref: ${{ inputs.workflow-ref || github.ref_name }} - uses: ./.actions/infra/create-cluster with: token: ${{ secrets.INFRA_TOKEN }} @@ -221,6 +264,7 @@ jobs: echo "cluster-name=${NAME//./-}" >> "$GITHUB_OUTPUT" echo "url=https://central-stackrox.apps.${NAME//./-}.ocp.infra.rox.systems/login" >> "$GITHUB_OUTPUT" - name: Post to Slack + if: needs.properties.outputs.slack-channel != '' env: SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} uses: slackapi/slack-github-action@v1.26.0 @@ -255,6 +299,7 @@ jobs: name: Create GKE long-running cluster for fake load needs: [wait-for-images] if: >- + !cancelled() && !failure() && inputs.dry-run != true && inputs.create-long-cluster == true runs-on: ubuntu-latest @@ -264,7 +309,7 @@ jobs: with: repository: stackrox/actions path: .actions - ref: ${{ inputs.workflow-ref }} + ref: ${{ inputs.workflow-ref || github.ref_name }} - uses: ./.actions/infra/create-cluster with: token: ${{ secrets.INFRA_TOKEN }} @@ -280,6 +325,7 @@ jobs: name: Create GKE long-running cluster for real load needs: [wait-for-images] if: >- + !cancelled() && !failure() && inputs.dry-run != true && inputs.create-long-cluster == true runs-on: ubuntu-latest @@ -289,7 +335,7 @@ jobs: with: repository: stackrox/actions path: .actions - ref: ${{ inputs.workflow-ref }} + ref: ${{ inputs.workflow-ref || github.ref_name }} - uses: ./.actions/infra/create-cluster with: token: ${{ secrets.INFRA_TOKEN }} @@ -303,10 +349,12 @@ jobs: start-acs: name: Start ACS needs: [properties, parse-refs, create-long-running-cluster-for-fake-load] + if: "!cancelled() && !failure()" runs-on: ubuntu-latest outputs: rox-password: ${{ steps.launch-central.outputs.rox-password }} central-ip: ${{ steps.launch-central.outputs.central-ip }} + ca-cert: ${{ steps.launch-central.outputs.ca-cert }} env: NAME: ${{ inputs.cluster-with-fake-load-name }} KUBECONFIG: artifacts/kubeconfig @@ -330,7 +378,7 @@ jobs: with: repository: stackrox/actions path: .actions - ref: ${{ inputs.workflow-ref }} + ref: ${{ inputs.workflow-ref || github.ref_name }} - uses: "google-github-actions/auth@v2" with: credentials_json: "${{ secrets.GCP_RELEASE_AUTOMATION_SA }}" @@ -342,6 +390,7 @@ jobs: id: artifacts run: | infractl artifacts "${NAME//./-}" -d artifacts >> "$GITHUB_STEP_SUMMARY" + - uses: ./.actions/roxie/install-cli - name: Launch central id: launch-central uses: ./.actions/release/start-acs @@ -355,6 +404,7 @@ jobs: name: ${{ env.NAME }} - name: Post to Slack + if: needs.properties.outputs.slack-channel != '' env: SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} uses: slackapi/slack-github-action@v1.26.0 @@ -398,6 +448,7 @@ jobs: start-secured-cluster: name: Start secured cluster needs: [properties, parse-refs, start-acs, create-long-running-cluster-for-real-load] + if: "!cancelled() && !failure()" runs-on: ubuntu-latest env: SECURED_CLUSTER_NAME: ${{ inputs.cluster-with-real-load-name }} @@ -422,7 +473,7 @@ jobs: with: repository: stackrox/actions path: .actions - ref: ${{ inputs.workflow-ref }} + ref: ${{ inputs.workflow-ref || github.ref_name }} - uses: "google-github-actions/auth@v2" with: credentials_json: "${{ secrets.GCP_RELEASE_AUTOMATION_SA }}" @@ -440,6 +491,7 @@ jobs: registry: quay.io username: ${{ secrets.QUAY_RHACS_ENG_RO_USERNAME }} password: ${{ secrets.QUAY_RHACS_ENG_RO_PASSWORD }} + - uses: ./.actions/roxie/install-cli - name: Launch secured cluster id: launch-secured-cluster uses: ./.actions/release/start-secured-cluster @@ -451,10 +503,12 @@ jobs: registry-password: ${{ secrets.QUAY_RHACS_ENG_RO_PASSWORD }} rox-admin-password: ${{ needs.start-acs.outputs.rox-password }} central-ip: ${{ needs.start-acs.outputs.central-ip }} + ca-cert: ${{ needs.start-acs.outputs.ca-cert }} start-kube-burner-for-secured-cluster: name: Start kube-burner for the secured cluster needs: [properties, parse-refs, start-secured-cluster] + if: "!cancelled() && !failure()" runs-on: ubuntu-latest env: INFRA_NAME: ${{ inputs.cluster-with-real-load-name }} @@ -483,7 +537,7 @@ jobs: with: repository: stackrox/actions path: .actions - ref: ${{ inputs.workflow-ref }} + ref: ${{ inputs.workflow-ref || github.ref_name }} - uses: "google-github-actions/auth@v2" with: credentials_json: "${{ secrets.GCP_RELEASE_AUTOMATION_SA }}" @@ -509,6 +563,7 @@ jobs: start-kube-burner-for-central: name: Start kube-burner for Central needs: [properties, parse-refs, start-acs] + if: "!cancelled() && !failure()" runs-on: ubuntu-latest env: INFRA_NAME: ${{ inputs.cluster-with-fake-load-name }} @@ -531,7 +586,7 @@ jobs: with: repository: stackrox/actions path: .actions - ref: ${{ inputs.workflow-ref }} + ref: ${{ inputs.workflow-ref || github.ref_name }} - uses: "google-github-actions/auth@v2" with: credentials_json: "${{ secrets.GCP_RELEASE_AUTOMATION_SA }}" @@ -575,6 +630,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Post to Slack + if: needs.properties.outputs.slack-channel != '' env: SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} uses: slackapi/slack-github-action@v1.26.0 diff --git a/release/start-acs/action.yml b/release/start-acs/action.yml index 3cfd925d..8290262d 100644 --- a/release/start-acs/action.yml +++ b/release/start-acs/action.yml @@ -22,7 +22,7 @@ inputs: required: true default: "" stackrox-dir: - description: Where the stackrox directory is located + description: Where the stackrox directory is located (needed for monitoring chart) required: true default: "" name: @@ -42,24 +42,15 @@ runs: - id: launch-central env: - ROX_PRODUCT_BRANDING: RHACS_BRANDING MAIN_IMAGE_TAG: ${{ inputs.main-image-tag }} - API_ENDPOINT: localhost:8000 - STORAGE: pvc # Backing storage - STORAGE_CLASS: faster # Runs on an SSD type - STORAGE_SIZE: "100" # 100G - MONITORING_SUPPORT: "true" # Runs monitoring - LOAD_BALANCER: lb - SECURED_CLUSTER_AUTO_LOCK_PROCESS_BASELINES: "true" - ROX_ADMIN_USERNAME: admin + MONITORING_SUPPORT: "true" PAGERDUTY_INTEGRATION_KEY: ${{ inputs.pagerduty-integration-key }} + ROX_ADMIN_USERNAME: admin REGISTRY_USERNAME: ${{ inputs.registry-username }} REGISTRY_PASSWORD: ${{ inputs.registry-password }} KUBECONFIG: ${{ inputs.kubeconfig }} STACKROX_DIR: ${{ inputs.stackrox-dir }} NAME: ${{ inputs.name }} - ROX_TELEMETRY_STORAGE_KEY_V1: R5fMyO9n0gibSGzOXtlP2qCFWCGb8uoW - ROX_SCANNER_V4: "true" run: | set -uo pipefail "${GITHUB_ACTION_PATH}/../../common/common.sh" \ @@ -73,3 +64,6 @@ outputs: central-ip: description: The ip address of central value: ${{steps.launch-central.outputs.central-ip}} + ca-cert: + description: Base64-encoded Central CA certificate + value: ${{steps.launch-central.outputs.ca-cert}} diff --git a/release/start-acs/patch-central.json b/release/start-acs/patch-central.json deleted file mode 100644 index 2b60315f..00000000 --- a/release/start-acs/patch-central.json +++ /dev/null @@ -1,45 +0,0 @@ -{ - "spec": { - "template": { - "spec": { - "containers": [ - { - "name": "central", - "env": [ - { - "name": "MUTEX_WATCHDOG_TIMEOUT_SECS", - "value": "0" - }, - { - "name": "ROX_EXTERNAL_IPS", - "value": "true" - }, - { - "name": "ROX_NETWORK_GRAPH_EXTERNAL_IPS", - "value": "true" - }, - { - "name": "ROX_AUTO_LOCK_PROCESS_BASELINES", - "value": "true" - }, - { - "name": "ROX_BASELINE_GENERATION_DURATION", - "value": "3m" - } - ], - "resources": { - "requests": { - "memory": "3Gi", - "cpu": "2" - }, - "limits": { - "memory": "12Gi", - "cpu": "4" - } - } - } - ] - } - } - } -} diff --git a/release/start-acs/patch-sensor.json b/release/start-acs/patch-sensor.json deleted file mode 100644 index f4445769..00000000 --- a/release/start-acs/patch-sensor.json +++ /dev/null @@ -1,45 +0,0 @@ -{ - "spec": { - "template": { - "spec": { - "containers": [ - { - "name": "sensor", - "env": [ - { - "name": "MUTEX_WATCHDOG_TIMEOUT_SECS", - "value": "0" - }, - { - "name": "ROX_FAKE_KUBERNETES_WORKLOAD", - "value": "long-running" - }, - { - "name": "ROX_NETFLOW_BATCHING", - "value": "true" - }, - { - "name": "ROX_NETFLOW_CACHE_LIMITING", - "value": "true" - }, - { - "name": "ROX_FAKE_WORKLOAD_STORAGE", - "value": "/var/cache/stackrox/pebble.db" - } - ], - "resources": { - "requests": { - "memory": "3Gi", - "cpu": "2" - }, - "limits": { - "memory": "12Gi", - "cpu": "4" - } - } - } - ] - } - } - } -} diff --git a/release/start-acs/roxie-config.yaml b/release/start-acs/roxie-config.yaml new file mode 100644 index 00000000..3f8c593c --- /dev/null +++ b/release/start-acs/roxie-config.yaml @@ -0,0 +1,89 @@ +# Resource requests, limits, and scaling settings below are tuned to match +# the previous deploy-scripts-based flow. They may be adjusted in the future +# to better resemble a typical customer deployment. +central: + namespace: stackrox + spec: + central: + exposure: + loadBalancer: + enabled: true + resources: + requests: + memory: "3Gi" + cpu: "2" + limits: + memory: "12Gi" + cpu: "4" + db: + persistence: + persistentVolumeClaim: + storageClassName: premium-rwo + size: "100Gi" + scanner: + scannerComponent: Enabled + analyzer: + scaling: + autoScaling: Enabled + minReplicas: 1 + maxReplicas: 5 + replicas: 1 + customize: + envVars: + - name: MUTEX_WATCHDOG_TIMEOUT_SECS + value: "0" + - name: ROX_EXTERNAL_IPS + value: "true" + - name: ROX_NETWORK_GRAPH_EXTERNAL_IPS + value: "true" + - name: ROX_AUTO_LOCK_PROCESS_BASELINES + value: "true" + - name: ROX_BASELINE_GENERATION_DURATION + value: "3m" + - name: ROX_TELEMETRY_STORAGE_KEY_V1 + value: "R5fMyO9n0gibSGzOXtlP2qCFWCGb8uoW" + scannerV4: + scannerComponent: Enabled + db: + resources: + requests: + cpu: "500m" + indexer: + resources: + requests: + cpu: "400m" + scaling: + autoScaling: Disabled + replicas: 1 + matcher: + resources: + requests: + cpu: "400m" + scaling: + autoScaling: Disabled + replicas: 1 +securedCluster: + namespace: stackrox + spec: + sensor: + resources: + requests: + memory: "3Gi" + cpu: "2" + limits: + memory: "12Gi" + cpu: "4" + processBaselines: + autoLock: Enabled + customize: + envVars: + - name: MUTEX_WATCHDOG_TIMEOUT_SECS + value: "0" + - name: ROX_FAKE_KUBERNETES_WORKLOAD + value: "long-running" + - name: ROX_NETFLOW_BATCHING + value: "true" + - name: ROX_NETFLOW_CACHE_LIMITING + value: "true" + - name: ROX_FAKE_WORKLOAD_STORAGE + value: "/var/cache/stackrox/pebble.db" diff --git a/release/start-acs/start-acs.sh b/release/start-acs/start-acs.sh index bce490d6..0826255f 100755 --- a/release/start-acs/start-acs.sh +++ b/release/start-acs/start-acs.sh @@ -27,41 +27,50 @@ set -euo pipefail SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)" -# shellcheck source=/dev/null -source "${STACKROX_DIR}"/deploy/common/deploy.sh +if ! command -v roxctl &>/dev/null; then + gh_log notice "Installing roxctl ${MAIN_IMAGE_TAG}..." + curl -fsSL --retry 5 --retry-all-errors \ + -o ~/.local/bin/roxctl \ + "https://mirror.openshift.com/pub/rhacs/assets/${MAIN_IMAGE_TAG}/bin/linux/roxctl" + chmod +x ~/.local/bin/roxctl +fi if kubectl -n stackrox get deploy/central; then gh_log error "Central is already running. It means that you are trying to deploy ACS to a cluster where it is already deployed. This can happen if you try to create a long-running cluster for a release candicate when the such a cluster already exists. Try looking for another workflow that created the cluster." exit 1 fi -gh_log notice "Deploying central..." -"${STACKROX_DIR}"/deploy/k8s/central.sh - -gh_log notice "Forwarding central port..." -kubectl -n stackrox port-forward deploy/central 8000:8443 > /dev/null 2>&1 & -sleep 20 - -gh_log notice "Deploying sensor..." -"${STACKROX_DIR}"/deploy/k8s/sensor.sh - -gh_log notice "Patching sensor deployment..." -kubectl -n stackrox patch deploy/sensor --patch-file="${SCRIPT_DIR}/patch-sensor.json" +gh_log notice "Deploying ACS with roxie..." +roxie_envrc="$(mktemp)" +roxie deploy \ + --verbose \ + --tag "$MAIN_IMAGE_TAG" \ + --config "${SCRIPT_DIR}/roxie-config.yaml" \ + --envrc "$roxie_envrc" \ + --early-readiness -gh_log notice "Patching central deployment..." -kubectl -n stackrox patch deploy/central --patch-file="${SCRIPT_DIR}/patch-central.json" - -CENTRAL_IP=$(kubectl -n stackrox get svc/central-loadbalancer -o json | jq -r '.status.loadBalancer.ingress[0] | .ip // .hostname') +# shellcheck source=/dev/null +source "$roxie_envrc" +CENTRAL_IP="${API_ENDPOINT%:*}" gh_log notice "CENTRAL_IP=$CENTRAL_IP" -API_ENDPOINT="${CENTRAL_IP}:443" -wait_for_central "${API_ENDPOINT}" - -ROX_ADMIN_PASSWORD=$(cat "${STACKROX_DIR}"/deploy/k8s/central-deploy/password) +if [[ "${MONITORING_SUPPORT:-}" == "true" ]]; then + gh_log notice "Deploying monitoring stack..." + monitoring_values="$(mktemp)" + envsubst < "${STACKROX_DIR}/deploy/charts/monitoring/values.yaml" > "$monitoring_values" + helm dependency update "${STACKROX_DIR}/deploy/charts/monitoring" + helm upgrade -n stackrox --install stackrox-monitoring \ + "${STACKROX_DIR}/deploy/charts/monitoring" \ + --values "$monitoring_values" \ + --set persistence.type=pvc \ + --set exposure.type=none + rm -f "$monitoring_values" +fi # Don't mask the password: masked values are not passed to the runner. gh_output rox-password "$ROX_ADMIN_PASSWORD" gh_output central-ip "$CENTRAL_IP" +gh_output ca-cert "$(base64 -w0 < "$ROX_CA_CERT_FILE")" gh_log notice "Creating access-rhacs secret with the username and the password..." kubectl -n stackrox create secret generic access-rhacs \ diff --git a/release/start-secured-cluster/action.yml b/release/start-secured-cluster/action.yml index 5ef433dd..b468722a 100644 --- a/release/start-secured-cluster/action.yml +++ b/release/start-secured-cluster/action.yml @@ -29,6 +29,10 @@ inputs: description: The IP address for central required: true default: "" + ca-cert: + description: Base64-encoded Central CA certificate + required: true + default: "" runs: using: composite @@ -40,31 +44,29 @@ runs: username: ${{ inputs.registry-username }} password: ${{ inputs.registry-password }} + - name: Decode CA certificate + id: ca-cert + shell: bash + run: | + ca_cert_file="$(mktemp)" + echo "${{ inputs.ca-cert }}" | base64 -d > "$ca_cert_file" + echo "file=$ca_cert_file" >> "$GITHUB_OUTPUT" + - id: launch-secured-cluster env: - ROX_PRODUCT_BRANDING: RHACS_BRANDING - MAIN_IMAGE_TAG: ${{inputs.main-image-tag}} # Release version, e.g. 3.63.0-rc.2. + MAIN_IMAGE_TAG: ${{ inputs.main-image-tag }} REGISTRY_USERNAME: ${{ inputs.registry-username }} REGISTRY_PASSWORD: ${{ inputs.registry-password }} - ROX_ADMIN_PASSWORD: ${{ inputs.rox-admin-password }} + ROX_ADMIN_PASSWORD: ${{ inputs.rox-admin-password }} ROX_ADMIN_USERNAME: admin + CENTRAL_IP: ${{ inputs.central-ip }} + CLUSTER_API_ENDPOINT: https://${{ inputs.central-ip }}:443 + API_ENDPOINT: ${{ inputs.central-ip }}:443 + ROX_CA_CERT_FILE: ${{ steps.ca-cert.outputs.file }} + MONITORING_SUPPORT: "true" PAGERDUTY_INTEGRATION_KEY: ${{ inputs.pagerduty-integration-key }} - CENTRAL_IP: ${{ inputs.central-ip }} - CLUSTER_API_ENDPOINT: https://${{ inputs.central-ip }}:443 - API_ENDPOINT: ${{ inputs.central-ip }}:443 - CLUSTER: secured-cluster - MONITORING_SUPPORT: "true" - STORAGE: pvc - MONITORING_LOAD_BALANCER: none KUBECONFIG: ${{ inputs.kubeconfig }} STACKROX_DIR: ${{ github.workspace }} - COMMON_DIR: ${{ github.workspace }}/deploy/common - SECURED_CLUSTER_AUTO_LOCK_PROCESS_BASELINES: "true" - SFA_AGENT: "true" - SENSOR_HELM_DEPLOY: "true" - ROX_DEPLOY_SENSOR_WITH_CRS: "false" - ROX_NETFLOW_BATCHING: "true" - ROX_NETFLOW_CACHE_LIMITING: "true" run: | set -uo pipefail "${GITHUB_ACTION_PATH}/../../common/common.sh" \ diff --git a/release/start-secured-cluster/roxie-config.yaml b/release/start-secured-cluster/roxie-config.yaml new file mode 100644 index 00000000..0440fc57 --- /dev/null +++ b/release/start-secured-cluster/roxie-config.yaml @@ -0,0 +1,57 @@ +# Resource requests, limits, and scaling settings below are tuned to match +# the previous deploy-scripts-based flow. They may be adjusted in the future +# to better resemble a typical customer deployment. +securedCluster: + namespace: stackrox + spec: + sensor: + resources: + requests: + memory: "500Mi" + cpu: "500m" + limits: + memory: "8Gi" + cpu: "4" + admissionControl: + resources: + limits: + memory: "500Mi" + scanner: + scannerComponent: AutoSense + analyzer: + scaling: + autoScaling: Enabled + minReplicas: 2 + maxReplicas: 5 + replicas: 2 + scannerV4: + indexer: + scaling: + autoScaling: Enabled + minReplicas: 2 + maxReplicas: 5 + replicas: 2 + processBaselines: + autoLock: Enabled + perNode: + fileActivityMonitoring: + mode: Enabled + customize: + envVars: + - name: ROX_NETFLOW_BATCHING + value: "true" + - name: ROX_NETFLOW_CACHE_LIMITING + value: "true" + overlays: + - apiVersion: apps/v1 + kind: DaemonSet + name: collector + patches: + - path: spec.template.spec.containers[name:fact].env[-1] + value: | + name: FACT_PATHS + value: "/tmp/data/**/*" + - path: spec.template.spec.containers[name:fact].env[-1] + value: | + name: FACT_LOGLEVEL + value: "info" diff --git a/release/start-secured-cluster/start-secured-cluster.sh b/release/start-secured-cluster/start-secured-cluster.sh index 9fa467ae..1379bf07 100755 --- a/release/start-secured-cluster/start-secured-cluster.sh +++ b/release/start-secured-cluster/start-secured-cluster.sh @@ -5,75 +5,66 @@ SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)" # Extract version from MAIN_IMAGE_TAG (e.g., "4.11.0-rc.2" -> "4.11") version_major_minor=$(echo "${MAIN_IMAGE_TAG}" | sed -E 's/^([0-9]+\.[0-9]+).*/\1/') - -# Parse major and minor version numbers version_major=$(echo "${version_major_minor}" | cut -d. -f1) version_minor=$(echo "${version_major_minor}" | cut -d. -f2) -# Determine if version is 4.11 or later (compare as integers, not floats) is_4_11_plus=false if [[ "$version_major" -gt 4 ]] || [[ "$version_major" -eq 4 && "$version_minor" -ge 11 ]]; then - echo "Using ACS 4.11+ secured cluster setup (version: ${version_major_minor})" + gh_log notice "Using ACS 4.11+ secured cluster setup (version: ${version_major_minor})" is_4_11_plus=true else - echo "Using ACS pre-4.11 secured cluster setup (version: ${version_major_minor})" + gh_log notice "Using ACS pre-4.11 secured cluster setup (version: ${version_major_minor})" fi -# Create namespace and image pull secrets BEFORE running sensor.sh -kubectl create namespace stackrox || true - -kubectl -n stackrox create secret docker-registry stackrox \ - --docker-server=quay.io \ - --docker-username="${REGISTRY_USERNAME}" \ - --docker-password="${REGISTRY_PASSWORD}" || true - -kubectl -n stackrox create secret docker-registry secured-cluster-services-main \ - --docker-server=quay.io \ - --docker-username="${REGISTRY_USERNAME}" \ - --docker-password="${REGISTRY_PASSWORD}" || true - -kubectl -n stackrox create secret docker-registry secured-cluster-services-collector \ - --docker-server=quay.io \ - --docker-username="${REGISTRY_USERNAME}" \ - --docker-password="${REGISTRY_PASSWORD}" || true +if ! command -v roxctl &>/dev/null; then + gh_log notice "Installing roxctl ${MAIN_IMAGE_TAG}..." + curl -fsSL --retry 5 --retry-all-errors \ + -o ~/.local/bin/roxctl \ + "https://mirror.openshift.com/pub/rhacs/assets/${MAIN_IMAGE_TAG}/bin/linux/roxctl" + chmod +x ~/.local/bin/roxctl +fi -"${STACKROX_DIR}/deploy/k8s/sensor.sh" +gh_log notice "Deploying secured cluster with roxie..." +ROX_ADMIN_PASSWORD="${ROX_ADMIN_PASSWORD}" \ +roxie deploy secured-cluster \ + --verbose \ + --tag "$MAIN_IMAGE_TAG" \ + --config "${SCRIPT_DIR}/roxie-config.yaml" \ + --set "securedCluster.spec.centralEndpoint=${CENTRAL_IP}:443" \ + --early-readiness kubectl -n stackrox create secret generic access-rhacs \ - --from-literal="username=${ROX_ADMIN_USERNAME}" \ - --from-literal="password=${ROX_ADMIN_PASSWORD}" \ - --from-literal="central_url=${CLUSTER_API_ENDPOINT}" + --from-literal="username=${ROX_ADMIN_USERNAME}" \ + --from-literal="password=${ROX_ADMIN_PASSWORD}" \ + --from-literal="central_url=${CLUSTER_API_ENDPOINT}" -# Create the collector-config ConfigMap in order to enable external IPs kubectl create -f "${SCRIPT_DIR}/collector-config.yaml" -# Patch the collector DaemonSet to configure fact container -kubectl -n stackrox set env daemonset/collector FACT_PATHS="/tmp/data/**/*" FACT_LOGLEVEL="info" -c fact - -echo "Deploying Monitoring..." -monitoring_values_file="${COMMON_DIR}/../charts/monitoring/values.yaml" - -# Build base helm arguments -helm_args=( - --set persistence.type="${STORAGE}" - --set exposure.type="${MONITORING_LOAD_BALANCER}" - --set resources.requests.memory="8Gi" - --set resources.limits.memory="8Gi" -) - -if [[ "$is_4_11_plus" == true ]]; then - # 4.11+: Add memory settings and metric relabel configs to helm args - helm_args+=( - --set-json 'cadvisorMetricRelabelConfigs=[{"source_labels":["container"],"regex":"berserker","action":"drop"},{"source_labels":["namespace"],"regex":"berserker-.*","action":"drop"}]' - ) -fi - -helm dependency update "${COMMON_DIR}/../charts/monitoring" -envsubst < "$monitoring_values_file" > "${COMMON_DIR}/../charts/monitoring/values_substituted.yaml" -helm upgrade -n stackrox --install --create-namespace stackrox-monitoring "${COMMON_DIR}/../charts/monitoring" --values "${COMMON_DIR}/../charts/monitoring/values_substituted.yaml" "${helm_args[@]}" -rm "${COMMON_DIR}/../charts/monitoring/values_substituted.yaml" - -# Pre-4.11 only: Replace prometheus ConfigMap -if [[ "$is_4_11_plus" == false ]]; then - kubectl apply -f "${SCRIPT_DIR}"/prometheus.yaml +if [[ "${MONITORING_SUPPORT:-}" == "true" ]]; then + gh_log notice "Deploying monitoring stack..." + monitoring_values="$(mktemp)" + monitoring_chart="${STACKROX_DIR}/deploy/charts/monitoring" + + helm_args=( + --set persistence.type=pvc + --set exposure.type=none + --set resources.requests.memory="8Gi" + --set resources.limits.memory="8Gi" + ) + + if [[ "$is_4_11_plus" == true ]]; then + helm_args+=( + --set-json 'cadvisorMetricRelabelConfigs=[{"source_labels":["container"],"regex":"berserker","action":"drop"},{"source_labels":["namespace"],"regex":"berserker-.*","action":"drop"}]' + ) + fi + + envsubst < "${monitoring_chart}/values.yaml" > "$monitoring_values" + helm dependency update "$monitoring_chart" + helm upgrade -n stackrox --install --create-namespace stackrox-monitoring \ + "$monitoring_chart" --values "$monitoring_values" "${helm_args[@]}" + rm -f "$monitoring_values" + + if [[ "$is_4_11_plus" == false ]]; then + kubectl apply -f "${SCRIPT_DIR}/prometheus.yaml" + fi fi