sjenning

#!/bin/sh

set -eu

cd $GOPATH/src/k8s.io/kubernetes
for release in "1.15" "1.16" "1.17"; do
  echo "=== v${release} ==="
  git log --oneline --no-merges v${release}.0..upstream/release-${release} -- pkg/kubelet cmd/kubelet
done

sjenning

#!/bin/bash

set -eux

export AWS_PROFILE=openshift-dev
export AWS_DEFAULT_REGION=us-west-1

CLUSTER_NAME=aws
mkdir -p $HOME/clusters
cd $HOME/clusters

sjenning

References

• https://kubernetes.io/blog/2019/03/21/a-guide-to-kubernetes-admission-controllers/
• https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/
• https://github.com/aws/amazon-eks-pod-identity-webhook/
• https://github.com/aws/amazon-eks-pod-identity-webhook/blob/master/SELF_HOSTED_SETUP.md
• https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/
• https://github.com/openshift/api/blob/master/config/v1/types_authentication.go#L54-L58
• https://github.com/openshift/enhancements/blob/master/enhancements/kube-apiserver/bound-sa-tokens.md
• https://github.com/kubernetes/community/blob/master/contributors/design-proposals/auth/bound-service-account-tokens.md
• https://docs.google.com/document/d/1XcOsEv4jO9P1QQHn-tOnC80oMyCm85hGA6LqHRfjTgo/edit

sjenning

#!/bin/bash

set -xe

export S3_BUCKET=sjenning-oidc-provider
export AWS_REGION=us-west-1

# Extract the serviceaccount keypair from cluster
PRIV_KEY="sa-signer.key"
PKCS_KEY="sa-signer-pkcs8.pub"

sjenning

References

• https://docs.openshift.com/container-platform/4.3/operators/olm-restricted-networks.html
• docs bug to add procedure for creating the CatalogSource manually https://bugzilla.redhat.com/show_bug.cgi?id=1796464

Notes

• using oc from 4.4 as 4.3 apparently has a bug in the oc adm catalog command(s)

Procedure

Disable the default catalog sources

oc patch OperatorHub cluster --type json \
    -p '[{"op": "add", "path": "/spec/disableAllDefaultSources", "value": true}]'

sjenning

FROM registry.redhat.io/openshift4/ose-operator-registry:v4.2.1
COPY manifests manifests
RUN /bin/initializer -o ./bundles.db
EXPOSE 50051
ENTRYPOINT ["/bin/registry-server"]
CMD ["--database", "bundles.db"]

sjenning

This the procedure for generating ignition configs for govcloud using th 4.3 installer (which actively thwarts attempts to do this)

Create install-config.yaml

apiVersion: v1
baseDomain: sjennings.me
# disconnected install requires local mirror
# oc adm release mirror
imageContentSources:
- mirrors:

sjenning

#!/usr/bin/env python3

import json
import os
import sys
import base64

ign_file = open(sys.argv[1])
ign_json = json.load(ign_file)
ign_file.close()

sjenning

Permissions needed for install (IPI)

https://github.com/openshift/installer/blob/master/pkg/asset/installconfig/aws/permissions.go#L32-L214

Below is documented what is required to operate for the UPI case (untested and not verified)

image-registry user

needed for integrated registry

sjenning

# cat horizon/custom_local_settings
LAUNCH_INSTANCE_DEFAULTS = {
    "create_volume": False,
}
SESSION_TIMEOUT = 86400