argocd.argoproj.io/sync-options: Replace=true
×
在 PolicyGenerator 或 PolicyGenTemplate CR 中使用 Hub 模板
Topology Aware Lifecycle Manager 支持 Red Hat Advanced Cluster Management (RHACM) 集中集群模板函数,这些函数用于与 GitOps 零接触配置 (ZTP) 配合使用的配置策略。
集中集群模板允许您定义配置策略,这些策略可以根据目标集群动态自定义。这减少了为许多具有相似配置但值不同的集群创建单独策略的需求。
|
策略模板限制在与定义策略的命名空间相同的命名空间中。这意味着您必须在创建策略的命名空间中创建集中模板中引用的对象。 |
|
在即将发布的 OpenShift Container Platform 版本中,使用 有关 |
在组 PolicyGenerator 或 PolicyGentemplate CR 中指定组和站点配置
您可以使用集中模板来填充应用于托管集群的生成策略中的组和站点值,从而使用ConfigMap CR 管理集群群的配置。在站点PolicyGenerator 或PolicyGentemplate CR 中使用集中模板意味着您无需为每个站点创建一个策略 CR。
您可以根据用例(例如硬件类型或区域)将集群群分为不同的类别。每个集群都应具有与集群所属组对应的标签。如果您在不同的ConfigMap CR 中管理每个组的配置值,则只需一个组策略 CR 即可通过使用集中模板将更改应用于组中的所有集群。
以下示例演示如何使用三个ConfigMap CR 和一个PolicyGenerator CR 将站点和组配置应用于按硬件类型和区域分组的集群。
|
|
先决条件
-
您已安装 OpenShift CLI (
oc)。 -
您已以具有
cluster-admin权限的用户身份登录到集中集群。 -
您已创建了一个 Git 存储库,您在其中管理自定义站点配置数据。该存储库必须可从集中集群访问,并被定义为 GitOps ZTP ArgoCD 应用程序的源存储库。
步骤
-
创建三个包含组和站点配置的
ConfigMapCR-
创建一个名为
group-hardware-types-configmap的ConfigMapCR 来保存特定于硬件的配置。例如apiVersion: v1 kind: ConfigMap metadata: name: group-hardware-types-configmap namespace: ztp-group annotations: argocd.argoproj.io/sync-options: Replace=true (1) data: # SriovNetworkNodePolicy.yaml hardware-type-1-sriov-node-policy-pfNames-1: "[\"ens5f0\"]" hardware-type-1-sriov-node-policy-pfNames-2: "[\"ens7f0\"]" # PerformanceProfile.yaml hardware-type-1-cpu-isolated: "2-31,34-63" hardware-type-1-cpu-reserved: "0-1,32-33" hardware-type-1-hugepages-default: "1G" hardware-type-1-hugepages-size: "1G" hardware-type-1-hugepages-count: "32"1 仅当 ConfigMap大小超过 1 MiB 时,才需要argocd.argoproj.io/sync-options注释。 -
创建一个名为
group-zones-configmap的ConfigMapCR 来保存区域配置。例如apiVersion: v1 kind: ConfigMap metadata: name: group-zones-configmap namespace: ztp-group data: # ClusterLogForwarder.yaml zone-1-cluster-log-fwd-outputs: "[{\"type\":\"kafka\", \"name\":\"kafka-open\", \"url\":\"tcp://10.46.55.190:9092/test\"}]" zone-1-cluster-log-fwd-pipelines: "[{\"inputRefs\":[\"audit\", \"infrastructure\"], \"labels\": {\"label1\": \"test1\", \"label2\": \"test2\", \"label3\": \"test3\", \"label4\": \"test4\"}, \"name\": \"all-to-default\", \"outputRefs\": [\"kafka-open\"]}]" -
创建一个名为
site-data-configmap的ConfigMapCR 来保存特定于站点的配置。例如apiVersion: v1 kind: ConfigMap metadata: name: site-data-configmap namespace: ztp-group data: # SriovNetwork.yaml du-sno-1-zone-1-sriov-network-vlan-1: "140" du-sno-1-zone-1-sriov-network-vlan-2: "150"
每个
ConfigMapCR 必须与要从组PolicyGeneratorCR 生成的策略位于相同的命名空间中。 -
-
在 Git 中提交
ConfigMapCR,然后推送到 Argo CD 应用程序正在监视的 Git 存储库。 -
将硬件类型和区域标签应用于集群。以下命令适用于名为
du-sno-1-zone-1的单个集群,选择的标签为"hardware-type": "hardware-type-1"和"group-du-sno-zone": "zone-1"$ oc patch managedclusters.cluster.open-cluster-management.io/du-sno-1-zone-1 --type merge -p '{"metadata":{"labels":{"hardware-type": "hardware-type-1", "group-du-sno-zone": "zone-1"}}}' -
根据您的需求,创建一个使用集中模板从
ConfigMap对象获取所需数据的组PolicyGenerator或PolicyGentemplateCR-
创建一个组
PolicyGeneratorCR。此示例PolicyGeneratorCR 为与policyDefaults.placement字段下列出的标签匹配的集群配置日志记录、VLAN ID、NIC 和性能配置文件--- apiVersion: policy.open-cluster-management.io/v1 kind: PolicyGenerator metadata: name: group-du-sno-pgt placementBindingDefaults: name: group-du-sno-pgt-placement-binding policyDefaults: placement: labelSelector: matchExpressions: - key: group-du-sno-zone operator: In values: - zone-1 - key: hardware-type operator: In values: - hardware-type-1 remediationAction: inform severity: low namespaceSelector: exclude: - kube-* include: - '*' evaluationInterval: compliant: 10m noncompliant: 10s policies: - name: group-du-sno-pgt-group-du-sno-cfg-policy policyAnnotations: ran.openshift.io/ztp-deploy-wave: "10" manifests: - path: source-crs/ClusterLogForwarder.yaml patches: - spec: outputs: '{{hub fromConfigMap "" "group-zones-configmap" (printf "%s-cluster-log-fwd-outputs" (index .ManagedClusterLabels "group-du-sno-zone")) | toLiteral hub}}' pipelines: '{{hub fromConfigMap "" "group-zones-configmap" (printf "%s-cluster-log-fwd-pipelines" (index .ManagedClusterLabels "group-du-sno-zone")) | toLiteral hub}}' - path: source-crs/PerformanceProfile-MCP-master.yaml patches: - metadata: name: openshift-node-performance-profile spec: additionalKernelArgs: - rcupdate.rcu_normal_after_boot=0 - vfio_pci.enable_sriov=1 - vfio_pci.disable_idle_d3=1 - efi=runtime cpu: isolated: '{{hub fromConfigMap "" "group-hardware-types-configmap" (printf "%s-cpu-isolated" (index .ManagedClusterLabels "hardware-type")) hub}}' reserved: '{{hub fromConfigMap "" "group-hardware-types-configmap" (printf "%s-cpu-reserved" (index .ManagedClusterLabels "hardware-type")) hub}}' hugepages: defaultHugepagesSize: '{{hub fromConfigMap "" "group-hardware-types-configmap" (printf "%s-hugepages-default" (index .ManagedClusterLabels "hardware-type")) hub}}' pages: - count: '{{hub fromConfigMap "" "group-hardware-types-configmap" (printf "%s-hugepages-count" (index .ManagedClusterLabels "hardware-type")) | toInt hub}}' size: '{{hub fromConfigMap "" "group-hardware-types-configmap" (printf "%s-hugepages-size" (index .ManagedClusterLabels "hardware-type")) hub}}' realTimeKernel: enabled: true - name: group-du-sno-pgt-group-du-sno-sriov-policy policyAnnotations: ran.openshift.io/ztp-deploy-wave: "100" manifests: - path: source-crs/SriovNetwork.yaml patches: - metadata: name: sriov-nw-du-fh spec: resourceName: du_fh vlan: '{{hub fromConfigMap "" "site-data-configmap" (printf "%s-sriov-network-vlan-1" .ManagedClusterName) | toInt hub}}' - path: source-crs/SriovNetworkNodePolicy-MCP-master.yaml patches: - metadata: name: sriov-nnp-du-fh spec: deviceType: netdevice isRdma: false nicSelector: pfNames: '{{hub fromConfigMap "" "group-hardware-types-configmap" (printf "%s-sriov-node-policy-pfNames-1" (index .ManagedClusterLabels "hardware-type")) | toLiteral hub}}' numVfs: 8 priority: 10 resourceName: du_fh - path: source-crs/SriovNetwork.yaml patches: - metadata: name: sriov-nw-du-mh spec: resourceName: du_mh vlan: '{{hub fromConfigMap "" "site-data-configmap" (printf "%s-sriov-network-vlan-2" .ManagedClusterName) | toInt hub}}' - path: source-crs/SriovNetworkNodePolicy-MCP-master.yaml patches: - metadata: name: sriov-nw-du-fh spec: deviceType: netdevice isRdma: false nicSelector: pfNames: '{{hub fromConfigMap "" "group-hardware-types-configmap" (printf "%s-sriov-node-policy-pfNames-2" (index .ManagedClusterLabels "hardware-type")) | toLiteral hub}}' numVfs: 8 priority: 10 resourceName: du_fh -
创建一个组
PolicyGenTemplateCR。此示例PolicyGenTemplateCR 为与spec.bindingRules字段下列出的标签匹配的集群配置日志记录、VLAN ID、NIC 和性能配置文件apiVersion: ran.openshift.io/v1 kind: PolicyGenTemplate metadata: name: group-du-sno-pgt namespace: ztp-group spec: bindingRules: # These policies will correspond to all clusters with these labels group-du-sno-zone: "zone-1" hardware-type: "hardware-type-1" mcp: "master" sourceFiles: - fileName: ClusterLogForwarder.yaml # wave 10 policyName: "group-du-sno-cfg-policy" spec: outputs: '{{hub fromConfigMap "" "group-zones-configmap" (printf "%s-cluster-log-fwd-outputs" (index .ManagedClusterLabels "group-du-sno-zone")) | toLiteral hub}}' pipelines: '{{hub fromConfigMap "" "group-zones-configmap" (printf "%s-cluster-log-fwd-pipelines" (index .ManagedClusterLabels "group-du-sno-zone")) | toLiteral hub}}' - fileName: PerformanceProfile.yaml # wave 10 policyName: "group-du-sno-cfg-policy" metadata: name: openshift-node-performance-profile spec: additionalKernelArgs: - rcupdate.rcu_normal_after_boot=0 - vfio_pci.enable_sriov=1 - vfio_pci.disable_idle_d3=1 - efi=runtime cpu: isolated: '{{hub fromConfigMap "" "group-hardware-types-configmap" (printf "%s-cpu-isolated" (index .ManagedClusterLabels "hardware-type")) hub}}' reserved: '{{hub fromConfigMap "" "group-hardware-types-configmap" (printf "%s-cpu-reserved" (index .ManagedClusterLabels "hardware-type")) hub}}' hugepages: defaultHugepagesSize: '{{hub fromConfigMap "" "group-hardware-types-configmap" (printf "%s-hugepages-default" (index .ManagedClusterLabels "hardware-type")) hub}}' pages: - size: '{{hub fromConfigMap "" "group-hardware-types-configmap" (printf "%s-hugepages-size" (index .ManagedClusterLabels "hardware-type")) hub}}' count: '{{hub fromConfigMap "" "group-hardware-types-configmap" (printf "%s-hugepages-count" (index .ManagedClusterLabels "hardware-type")) | toInt hub}}' realTimeKernel: enabled: true - fileName: SriovNetwork.yaml # wave 100 policyName: "group-du-sno-sriov-policy" metadata: name: sriov-nw-du-fh spec: resourceName: du_fh vlan: '{{hub fromConfigMap "" "site-data-configmap" (printf "%s-sriov-network-vlan-1" .ManagedClusterName) | toInt hub}}' - fileName: SriovNetworkNodePolicy.yaml # wave 100 policyName: "group-du-sno-sriov-policy" metadata: name: sriov-nnp-du-fh spec: deviceType: netdevice isRdma: false nicSelector: pfNames: '{{hub fromConfigMap "" "group-hardware-types-configmap" (printf "%s-sriov-node-policy-pfNames-1" (index .ManagedClusterLabels "hardware-type")) | toLiteral hub}}' numVfs: 8 priority: 10 resourceName: du_fh - fileName: SriovNetwork.yaml # wave 100 policyName: "group-du-sno-sriov-policy" metadata: name: sriov-nw-du-mh spec: resourceName: du_mh vlan: '{{hub fromConfigMap "" "site-data-configmap" (printf "%s-sriov-network-vlan-2" .ManagedClusterName) | toInt hub}}' - fileName: SriovNetworkNodePolicy.yaml # wave 100 policyName: "group-du-sno-sriov-policy" metadata: name: sriov-nw-du-fh spec: deviceType: netdevice isRdma: false nicSelector: pfNames: '{{hub fromConfigMap "" "group-hardware-types-configmap" (printf "%s-sriov-node-policy-pfNames-2" (index .ManagedClusterLabels "hardware-type")) | toLiteral hub}}' numVfs: 8 priority: 10 resourceName: du_fh
要检索特定站点的配置值,请使用
.ManagedClusterName字段。这是一个模板上下文值,设置为目标托管集群的名称。要检索特定组的配置,请使用
.ManagedClusterLabels字段。这是一个模板上下文值,设置为托管集群标签的值。 -
-
提交站点
PolicyGenerator或PolicyGentemplateCR 到 Git,并推送到 ArgoCD 应用监控的 Git 仓库。对引用的
ConfigMapCR 的后续更改不会自动同步到已应用的策略。您需要手动同步新的ConfigMap更改以更新现有的PolicyGeneratorCR。请参阅“将新的 ConfigMap 更改同步到现有的 PolicyGenerator 或 PolicyGenTemplate CR”。您可以对多个集群使用相同的
PolicyGenerator或PolicyGentemplateCR。如果存在配置更改,则您只需要修改保存每个集群配置的ConfigMap对象和托管集群的标签。
将新的 ConfigMap 更改同步到现有的 PolicyGenerator 或 PolicyGenTemplate CR
先决条件
-
您已安装 OpenShift CLI (
oc)。 -
您已以具有
cluster-admin权限的用户身份登录到集中集群。 -
您已创建了一个使用中心集群模板从
ConfigMapCR 中提取信息的PolicyGenerator或PolicyGentemplateCR。
步骤
-
更新
ConfigMapCR 的内容,并在中心集群中应用更改。 -
要将更新的
ConfigMapCR 的内容同步到已部署的策略,请执行以下任一操作-
选项 1:删除现有策略。ArgoCD 使用
PolicyGenerator或PolicyGentemplateCR 立即重新创建已删除的策略。例如,运行以下命令:$ oc delete policy <policy_name> -n <policy_namespace> -
选项 2:每次更新
ConfigMap时,都使用不同的值将特殊的注释policy.open-cluster-management.io/trigger-update应用于策略。例如:$ oc annotate policy <policy_name> -n <policy_namespace> policy.open-cluster-management.io/trigger-update="1"您必须应用更新的策略才能使更改生效。有关更多信息,请参阅重新处理的特殊注释。
-
-
可选:如果存在,请删除包含策略的
ClusterGroupUpdateCR。例如:$ oc delete clustergroupupgrade <cgu_name> -n <cgu_namespace>-
创建一个新的
ClusterGroupUpdateCR,其中包含要应用的策略以及更新的ConfigMap更改。例如,将以下 YAML 添加到文件cgr-example.yaml中:apiVersion: ran.openshift.io/v1alpha1 kind: ClusterGroupUpgrade metadata: name: <cgr_name> namespace: <policy_namespace> spec: managedPolicies: - <managed_policy> enable: true clusters: - <managed_cluster_1> - <managed_cluster_2> remediationStrategy: maxConcurrency: 2 timeout: 240 -
应用更新的策略
$ oc apply -f cgr-example.yaml
-