stolostron · magic-mirror-bot · May 15, 2024 · May 10, 2024
diff --git a/...nput-acm-observability/thanos-secret.yaml → ...lus/input-acm-observability/operator.yaml b/...nput-acm-observability/thanos-secret.yaml → ...lus/input-acm-observability/operator.yaml
@@ -35,3 +35,35 @@ spec:
                                                 ($awsAccess.data.AWS_ACCESS_KEY_ID | base64dec) 
                                                 ($awsAccess.data.AWS_SECRET_ACCESS_KEY | base64dec)
                           ) | base64enc }}
+---
+apiVersion: v1
+data:
+  .dockerconfigjson: '{{- if eq (lookup "v1" "Secret" "open-cluster-management" "multiclusterhub-operator-pull-secret").kind "Secret" -}} {{- fromSecret "open-cluster-management" "multiclusterhub-operator-pull-secret" ".dockerconfigjson" -}} {{- else -}} {{- fromSecret "openshift-config" "pull-secret" ".dockerconfigjson" -}} {{- end -}}'
+kind: Secret
+metadata:
+  name: multiclusterhub-operator-pull-secret
+  namespace: open-cluster-management-observability
+type: kubernetes.io/dockerconfigjson
+---
+apiVersion: observability.open-cluster-management.io/v1beta2
+kind: MultiClusterObservability
+metadata:
+  name: observability
+spec:
+  observabilityAddonSpec: {}
+  storageConfig:
+    metricObjectStorage:
+      name: thanos-object-storage
+      key: thanos.yaml
+---
+apiVersion: console.openshift.io/v1
+kind: ConsoleLink
+metadata:
+  name: observability
+spec:
+  applicationMenu:
+    section: Red Hat applications
+    imageURL: 'https://upload.wikimedia.org/wikipedia/commons/3/3a/OpenShift-LogoType.svg'
+  href: https://{{ (lookup "route.openshift.io/v1" "Route" "open-cluster-management-observability" "grafana").spec.host }}
+  location: ApplicationMenu
+  text: 'Red Hat Advanced Cluster Management Observability'
diff --git a/...nerator/policy-sets/stable/openshift-plus/input-acm-observability/policy-ocm-console.yaml b/...nerator/policy-sets/stable/openshift-plus/input-acm-observability/policy-ocm-console.yaml
diff --git a/...r/policy-sets/stable/openshift-plus/input-acm-observability/policy-ocm-observability.yaml b/...r/policy-sets/stable/openshift-plus/input-acm-observability/policy-ocm-observability.yaml
diff --git a/...tor/policy-sets/stable/openshift-plus/input-acm-observability/policy-ocm-pull-secret.yaml b/...tor/policy-sets/stable/openshift-plus/input-acm-observability/policy-ocm-pull-secret.yaml
diff --git a/policygenerator/policy-sets/stable/openshift-plus/input-acm-observability/storage.yaml b/policygenerator/policy-sets/stable/openshift-plus/input-acm-observability/storage.yaml
@@ -0,0 +1,10 @@
+apiVersion: objectbucket.io/v1alpha1
+kind: ObjectBucketClaim
+metadata:
+  name: obc-observability
+  namespace: openshift-storage
+spec:
+  generateBucketName: obc-observability-bucket
+  storageClassName: openshift-storage.noobaa.io
+status:
+  phase: Bound
diff --git a/policygenerator/policy-sets/stable/openshift-plus/input-odf/policy-odf-cluster.yaml b/policygenerator/policy-sets/stable/openshift-plus/input-odf/policy-odf-cluster.yaml
@@ -0,0 +1,89 @@
+apiVersion: policy.open-cluster-management.io/v1
+kind: ConfigurationPolicy
+metadata:
+  name: policy-odf-cluster
+spec:
+  remediationAction: enforce
+  severity: high
+  object-templates-raw: |
+    {{- /* create the StorageClass if on VMware */ -}}
+    {{- if (eq (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type "VSphere") }}
+    - complianceType: musthave
+      objectDefinition:
+        apiVersion: storage.k8s.io/v1
+        kind: StorageClass
+        metadata:
+          annotations:
+            storageclass.kubernetes.io/is-default-class: "false"
+          name: thin-csi-odf
+        parameters:
+          StoragePolicyName: "vSAN Default Storage Policy"
+        provisioner: csi.vsphere.vmware.com
+        allowVolumeExpansion: true
+        reclaimPolicy: Delete
+        volumeBindingMode: WaitForFirstConsumer
+    {{- end }}
+    - complianceType: musthave
+      objectDefinition:
+        apiVersion: ocs.openshift.io/v1
+        kind: StorageCluster
+        metadata:
+          annotations:
+            uninstall.ocs.openshift.io/cleanup-policy: delete
+            uninstall.ocs.openshift.io/mode: graceful
+          name: ocs-storagecluster
+          namespace: openshift-storage
+        spec:
+          arbiter: {}
+          encryption:
+            kms: {}
+          externalStorage: {}
+          managedResources:
+            cephBlockPools: {}
+            cephCluster: {}
+            cephConfig: {}
+            cephDashboard: {}
+            cephFilesystems: {}
+            cephObjectStoreUsers: {}
+            cephObjectStores: {}
+            cephToolbox: {}
+          mirroring: {}
+          nodeTopologies: {}
+          resources:
+            mds: {}
+            mgr: {}
+            mon: {}
+            noobaa-core: {}
+            noobaa-db: {}
+            noobaa-endpoint:
+              limits:
+                cpu: 1
+                memory: 500Mi
+              requests:
+                cpu: 1
+                memory: 500Mi
+            rgw: {}
+          storageDeviceSets:
+          - config: {}
+            count: 1
+            dataPVCTemplate:
+              metadata: {}
+              spec:
+                accessModes:
+                - ReadWriteOnce
+                resources:
+                  requests:
+                    storage: 100Gi
+    {{- if (eq (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type "VSphere") }}
+                storageClassName: thin-csi-odf
+    {{- else }}
+                storageClassName: gp3-csi
+    {{- end }}
+                volumeMode: Block
+              status: {}
+            name: ocs-deviceset
+            placement: {}
+            portable: true
+            preparePlacement: {}
+            replica: 3
+            resources: {}
diff --git a/policygenerator/policy-sets/stable/openshift-plus/input-odf/policy-odf-status.yaml b/policygenerator/policy-sets/stable/openshift-plus/input-odf/policy-odf-status.yaml
@@ -59,11 +59,3 @@ metadata:
   namespace: openshift-storage
 status:
   phase: Ready
----
-apiVersion: objectbucket.io/v1alpha1
-kind: ObjectBucketClaim
-metadata:
-  name: obc-observability
-  namespace: openshift-storage
-status:
-  phase: Bound
diff --git a/policygenerator/policy-sets/stable/openshift-plus/input-odf/policy-odf.yaml b/policygenerator/policy-sets/stable/openshift-plus/input-odf/policy-odf.yaml
@@ -35,60 +35,6 @@ spec:
   name: ocs-storagecluster
   namespace: openshift-storage
 ---
-apiVersion: ocs.openshift.io/v1
-kind: StorageCluster
-metadata:
-  annotations:
-    uninstall.ocs.openshift.io/cleanup-policy: delete
-    uninstall.ocs.openshift.io/mode: graceful
-  name: ocs-storagecluster
-  namespace: openshift-storage
-spec:
-  arbiter: {}
-  encryption:
-    kms: {}
-  externalStorage: {}
-  managedResources:
-    cephBlockPools: {}
-    cephCluster: {}
-    cephConfig: {}
-    cephDashboard: {}
-    cephFilesystems: {}
-    cephObjectStoreUsers: {}
-    cephObjectStores: {}
-    cephToolbox: {}
-  mirroring: {}
-  nodeTopologies: {}
-  storageDeviceSets:
-  - config: {}
-    count: 1
-    dataPVCTemplate:
-      metadata: {}
-      spec:
-        accessModes:
-        - ReadWriteOnce
-        resources:
-          requests:
-            storage: 100Gi
-        storageClassName: gp3-csi
-        volumeMode: Block
-      status: {}
-    name: ocs-deviceset-gp3-csi
-    placement: {}
-    portable: true
-    preparePlacement: {}
-    replica: 3
-    resources: {}
----
-apiVersion: objectbucket.io/v1alpha1
-kind: ObjectBucketClaim
-metadata:
-  name: obc-observability
-  namespace: openshift-storage
-spec:
-  generateBucketName: obc-observability-bucket
-  storageClassName: openshift-storage.noobaa.io
----
 apiVersion: operator.openshift.io/v1
 kind: Console
 metadata:

diff --git a/policygenerator/policy-sets/stable/openshift-plus/policyGenerator.yaml b/policygenerator/policy-sets/stable/openshift-plus/policyGenerator.yaml
@@ -113,7 +113,7 @@ policies:
   remediationAction: inform
 # ACS Policies - end
 # Observability Policy - start
-- name: policy-ocm-observability
+- name: policy-observability-storage
   consolidateManifests: false
   categories:
     - CA Assessment Authorization and Monitoring
@@ -122,7 +122,17 @@ policies:
   dependencies:
     - name: policy-odf-status
   manifests:
-    - path: input-acm-observability/
+    - path: input-acm-observability/storage.yaml
+- name: policy-observability-operator
+  consolidateManifests: false
+  categories:
+    - CA Assessment Authorization and Monitoring
+  controls: 
+    - CA-7 Continuous Monitoring
+  dependencies:
+    - name: policy-observability-storage
+  manifests:
+    - path: input-acm-observability/operator.yaml
 # Observability Policy - end
 # ODF Policies - start
 - name: policy-odf
@@ -132,6 +142,15 @@ policies:
     - SI-7 Software Firmware and Information Integrity
   manifests:
     - path: input-odf/policy-odf.yaml
+- name: policy-odf-cluster
+  categories:
+    - SI System and Information Integrity
+  controls: 
+    - SI-7 Software Firmware and Information Integrity
+  dependencies:
+    - name: policy-odf
+  manifests:
+    - path: input-odf/policy-odf-cluster.yaml
 - name: policy-odf-status
   categories:
     - SI System and Information Integrity