From 273c7070eabe72a7ca72644b6ebfa65646e263b1 Mon Sep 17 00:00:00 2001 From: Doreen Seider Date: Fri, 24 Apr 2026 15:45:21 +0200 Subject: [PATCH 1/3] Add solar OCM components --- .github/workflows/release-ocm-components.yml | 2 + README.md | 23 ++ solution-arsenal-discovery/README.md | 89 +++++ solution-arsenal-discovery/bootstrap.yaml | 149 ++++++++ .../component-constructor.yaml | 53 +++ .../minimal-values.yaml | 48 +++ .../production-values.yaml | 71 ++++ solution-arsenal-discovery/rgd-template.yaml | 237 +++++++++++++ solution-arsenal/README.md | 93 +++++ solution-arsenal/bootstrap.yaml | 159 +++++++++ solution-arsenal/component-constructor.yaml | 80 +++++ solution-arsenal/minimal-values.yaml | 100 ++++++ solution-arsenal/production-values.yaml | 176 ++++++++++ solution-arsenal/rgd-template.yaml | 320 ++++++++++++++++++ 14 files changed, 1600 insertions(+) create mode 100644 solution-arsenal-discovery/README.md create mode 100644 solution-arsenal-discovery/bootstrap.yaml create mode 100644 solution-arsenal-discovery/component-constructor.yaml create mode 100644 solution-arsenal-discovery/minimal-values.yaml create mode 100644 solution-arsenal-discovery/production-values.yaml create mode 100644 solution-arsenal-discovery/rgd-template.yaml create mode 100644 solution-arsenal/README.md create mode 100644 solution-arsenal/bootstrap.yaml create mode 100644 solution-arsenal/component-constructor.yaml create mode 100644 solution-arsenal/minimal-values.yaml create mode 100644 solution-arsenal/production-values.yaml create mode 100644 solution-arsenal/rgd-template.yaml diff --git a/.github/workflows/release-ocm-components.yml b/.github/workflows/release-ocm-components.yml index 003d0e8..63cc220 100644 --- a/.github/workflows/release-ocm-components.yml +++ b/.github/workflows/release-ocm-components.yml @@ -18,6 +18,8 @@ jobs: - ./cloudnative-pg - ./keycloak - ./ocm-demo + - ./solution-arsenal + - ./solution-arsenal-discovery steps: - name: Checkout repository uses: actions/checkout@v6 diff --git a/README.md b/README.md index a9d206b..27aec22 100644 --- a/README.md +++ b/README.md @@ -117,6 +117,29 @@ helm install artifact-conduit artifact-conduit/arc-0.1.0.tgz \ **Note**: Artifact Conduit is an early-stage project (356+ commits, 8 contributors) not yet recommended for production without thorough testing. It provides a declarative way to transfer artifacts across security boundaries with automated scanning and policy compliance. +### Solution Arsenal + +OCM-based Application Catalog and Fleet Rollout Manager + +- **Status**: Early Stage (pre-release, active development) +- **License**: Apache 2.0 +- **Configurations**: + - Minimal (single instance, development / evaluation) + - Production (3 replicas each, leader election, metrics enabled) +- **Documentation**: [solution-arsenal/README.md](solution-arsenal/README.md) + +### Solution Arsenal Discovery + +Standalone OCI Registry Scanner for OCM Packages + +- **Status**: Early Stage (pre-release, active development) +- **License**: Apache 2.0 +- **Configurations**: + - Minimal (single instance, scan-only mode, no webhook) + - Production (2 replicas, webhook listener enabled, anti-affinity) +- **Documentation**: [solution-arsenal-discovery/README.md](solution-arsenal-discovery/README.md) + + ### ocm-demo (v0.1.0) Minimal example component used to demonstrate OCM packaging, transfer, and runtime image localization. diff --git a/solution-arsenal-discovery/README.md b/solution-arsenal-discovery/README.md new file mode 100644 index 0000000..c739efe --- /dev/null +++ b/solution-arsenal-discovery/README.md @@ -0,0 +1,89 @@ +# Solution Arsenal Discovery (SolAr Discovery) OCM Component + +This directory contains the OCM (Open Component Model) packaging for [SolAr Discovery](https://github.com/opendefensecloud/solution-arsenal), a standalone OCI registry scanner that discovers OCM packages and populates the Solution Arsenal catalog. + +## Component structure + +``` +solution-arsenal-discovery/ +├── bootstrap.yaml # OCM K8s Toolkit bootstrap + example CR instances +├── component-constructor.yaml # OCM component descriptor +├── minimal-values.yaml # Helm values: single-instance dev/test profile +├── production-values.yaml # Helm values: HA production profile +└── rgd-template.yaml # KRO ResourceGraphDefinition +``` + +## Prerequisites + +### Required +- **Kubernetes** +- **Helm** + +### Optional +- **KRO (Kubernetes Resource Orchestrator)**: For RGD-based bootstrapping +- **OCM K8s Toolkit**: For OCM-based deployment +- **FluxCD**: For GitOps-style deployments + +## Quick start + +### 1. Build the CTF archive + +Run from the `solution-arsenal-discovery/` directory of this repo: + +```bash +ocm add componentversion --version 0.1.0 --create --file ./ctf component-constructor.yaml +``` + +### 2. Transfer to a registry + +```bash +# Public registry (replace with your org) +ocm transfer ctf --copy-local-resources ./ctf ghcr.io/your-org + +# Local registry for testing +ocm transfer ctf --copy-local-resources ./ctf localhost:5001 +``` + +The `--copy-local-resources` flag rewrites the image references inside the component to point to the target registry. The RGD picks up these rewritten references at runtime so images are pulled from the correct location. + +### 3. Edit bootstrap.yaml + +Open `bootstrap.yaml` and set the registry URL in the `Repository` resource: + +```yaml +spec: + url: oci://ghcr.io/your-org +``` + +If the registry is private, uncomment the `Secret` block and the `secretRef` fields throughout the file. + +### 4. Apply the bootstrap + +```bash +kubectl apply -f bootstrap.yaml +``` + +This creates the OCM K8s Toolkit resources that fetch the RGD and the `SolutionArsenalDiscoveryBootstrap` CR that triggers the actual deployment. + +### 5. Verify + +```bash +# RGD created by the deployer +kubectl get rgd solution-arsenal-discovery-bootstrap + +# CRD registered by KRO +kubectl get crd solutionarsenaldiscoverybootstraps.kro.run + +# Bootstrap instance status +kubectl get solutionarsenaldiscoverybootstrap -A + +# Application pods +kubectl get pods -n solution-arsenal-system +``` + +## Resources + +- [Solution Arsenal repository](https://github.com/opendefensecloud/solution-arsenal) +- [SolAr documentation](https://solar.opendefense.cloud) +- [OCM specification](https://ocm.software) +- [KRO documentation](https://kro.run) diff --git a/solution-arsenal-discovery/bootstrap.yaml b/solution-arsenal-discovery/bootstrap.yaml new file mode 100644 index 0000000..f489418 --- /dev/null +++ b/solution-arsenal-discovery/bootstrap.yaml @@ -0,0 +1,149 @@ +--- +# Bootstrap configuration for SolutionArsenal Discovery component deployment +# This file uses OCM K8s Toolkit to fetch and deploy the ResourceGraphDefinition +# from the OCM component, enabling self-contained deployment with automatic +# image localization when components are transferred between registries. + +apiVersion: v1 +kind: Namespace +metadata: + name: ocm-system +--- +# Optional: Secret for private registry access +# Uncomment and configure if using a private OCI registry +# apiVersion: v1 +# kind: Secret +# metadata: +# name: ocm-registry-credentials +# namespace: ocm-system +# type: kubernetes.io/dockerconfigjson +# data: +# .dockerconfigjson: +--- +# OCM Repository - Points to the OCI registry containing OCM components +apiVersion: delivery.ocm.software/v1alpha1 +kind: Repository +metadata: + name: solution-arsenal-discovery-repo + namespace: ocm-system +spec: + # Replace with your OCM registry URL + url: oci://ghcr.io/your-org/ocm-components + # Optional: Reference secret for private registry access + # secretRef: + # name: ocm-registry-credentials +--- +# OCM Component - References the specific SolutionArsenal Discovery component +apiVersion: delivery.ocm.software/v1alpha1 +kind: Component +metadata: + name: solution-arsenal-discovery-component + namespace: ocm-system +spec: + component: opendefense.cloud/solution-arsenal-discovery + version: 0.1.0 + repository: + name: solution-arsenal-discovery-repo + # Optional: Reference secret for private registry access + # secretRef: + # name: ocm-registry-credentials +--- +# OCM Resource - Fetches the ResourceGraphDefinition from the component +apiVersion: delivery.ocm.software/v1alpha1 +kind: Resource +metadata: + name: solution-arsenal-discovery-rgd + namespace: ocm-system +spec: + resource: solution-arsenal-discovery-rgd + component: + name: solution-arsenal-discovery-component + # Optional: Reference secret for private registry access + # secretRef: + # name: ocm-registry-credentials +--- +# OCM Deployer - Applies the RGD content to the cluster +# Note: This is a cluster-scoped operation that creates the RGD CRD +apiVersion: delivery.ocm.software/v1alpha1 +kind: Deployer +metadata: + name: solution-arsenal-discovery-rgd-deployer + namespace: ocm-system +spec: + resource: + name: solution-arsenal-discovery-rgd + # Optional: Reference secret for private registry access + # secretRef: + # name: ocm-registry-credentials +--- +# Example SolutionArsenal Discovery Bootstrap instance - Minimal configuration +# Deploys a single scanner instance in scan-only mode +apiVersion: v1alpha1 +kind: SolutionArsenalDiscoveryBootstrap +metadata: + name: solution-arsenal-discovery-minimal + namespace: default +spec: + # Registry configuration + registry: + url: ghcr.io # Replace with your registry if using a private one + + # Component reference + componentName: opendefense.cloud/solution-arsenal-discovery + componentVersion: 0.1.0 + + # Deployment configuration + namespace: solar-system + + # Use minimal profile for development/testing + deploymentProfile: minimal + + # Single replica for minimal setup + replicaCount: 1 + + # Webhook service enabled (but no registries configured yet) + webhookServiceEnabled: true + webhookServicePort: 8080 + + # CA bundle disabled for minimal setup + caBundleEnabled: false + + # Optional: Reference to OCM config secret for private registries + # ocmConfigSecretName: ocm-registry-credentials +--- +# Example SolutionArsenal Discovery Bootstrap instance - Production configuration +# Uncomment to deploy a production-grade setup with anti-affinity +# apiVersion: v1alpha1 +# kind: SolutionArsenalDiscoveryBootstrap +# metadata: +# name: solution-arsenal-discovery-production +# namespace: default +# spec: +# # Registry configuration +# registry: +# url: ghcr.io +# +# # Component reference +# componentName: opendefense.cloud/solution-arsenal-discovery +# componentVersion: 0.1.0 +# +# # Deployment configuration +# namespace: solution-arsenal-system +# +# # Use production profile +# deploymentProfile: production +# +# # 2 replicas for redundancy +# replicaCount: 2 +# +# # Webhook listener enabled for event-driven discovery +# webhookServiceEnabled: true +# webhookServicePort: 8080 +# +# # CA bundle for private registry TLS +# caBundleEnabled: true +# caBundleConfigMapName: registry-ca-bundle +# caBundleKey: trust-bundle.pem +# +# # Optional: Reference to OCM config secret for private registries +# # ocmConfigSecretName: ocm-registry-credentials diff --git a/solution-arsenal-discovery/component-constructor.yaml b/solution-arsenal-discovery/component-constructor.yaml new file mode 100644 index 0000000..f15a3c0 --- /dev/null +++ b/solution-arsenal-discovery/component-constructor.yaml @@ -0,0 +1,53 @@ +components: + - name: opendefense.cloud/solution-arsenal-discovery + provider: + name: opendefense.cloud + labels: + - name: app.kubernetes.io/name + value: solution-arsenal-discovery + - name: app.kubernetes.io/component + value: registry-scanner + - name: app.kubernetes.io/part-of + value: solution-arsenal + resources: + # ResourceGraphDefinition for KRO bootstrapping + - name: solution-arsenal-discovery-rgd + type: yaml + relation: local + input: + type: file + path: rgd-template.yaml + + # SolutionArsenal Discovery Helm Chart (local) + - name: solution-arsenal-discovery-chart + type: helmChart + version: v0.1.0 + relation: external + access: + type: ociArtifact + imageReference: ghcr.io/opendefensecloud/charts/solar-discovery:0.1.1 + + # Solar Discovery Container Image + - name: solution-arsenal-discovery-image + type: ociImage + version: v0.1.0 + relation: external + access: + type: ociArtifact + imageReference: ghcr.io/opendefensecloud/solar-discovery:0.1.1 + + # Minimal Configuration (single instance, scan-only mode) + - name: solution-arsenal-discovery-minimal-config + type: yaml + relation: local + input: + type: file + path: minimal-values.yaml + + # Production Configuration (2 replicas, webhook enabled, anti-affinity) + - name: solution-arsenal-discovery-production-config + type: yaml + relation: local + input: + type: file + path: production-values.yaml diff --git a/solution-arsenal-discovery/minimal-values.yaml b/solution-arsenal-discovery/minimal-values.yaml new file mode 100644 index 0000000..32077cb --- /dev/null +++ b/solution-arsenal-discovery/minimal-values.yaml @@ -0,0 +1,48 @@ +# Minimal SolutionArsenal Discovery Configuration +# Single-instance setup suitable for: +# - Development environments +# - Testing and evaluation +# - Resource-constrained environments (kind, minikube) +# - Scan-only mode (no webhook required) + +image: + repository: ghcr.io/opendefensecloud/solar-discovery + tag: latest + pullPolicy: IfNotPresent + +replicaCount: 1 + +# No registries configured by default — add your registries here +# registries: +# - name: my-registry +# hostname: registry.example.com +# scanInterval: 24h +# credentials: +# username: ${REGISTRY_USERNAME} +# password: ${REGISTRY_PASSWORD} + +# Namespace where discovered Component/ComponentVersion resources are created +namespace: "" + +# Webhook service enabled but no ingress — webhook can be added later +service: + enabled: true + type: ClusterIP + port: 8080 + +# Minimal resource requests +resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 10m + memory: 64Mi + +# CA bundle disabled for minimal setup +caBundle: + enabled: false + +# RBAC enabled +rbac: + create: true diff --git a/solution-arsenal-discovery/production-values.yaml b/solution-arsenal-discovery/production-values.yaml new file mode 100644 index 0000000..17aa28e --- /dev/null +++ b/solution-arsenal-discovery/production-values.yaml @@ -0,0 +1,71 @@ +# Production SolutionArsenal Discovery Configuration +# Highly-available setup suitable for: +# - Production environments +# - Environments with private registries requiring TLS trust + +image: + repository: ghcr.io/opendefensecloud/solar-discovery + tag: latest + pullPolicy: IfNotPresent + +replicaCount: 2 + +# Configure registries to scan — use envFrom to inject credentials from Secrets +# registries: +# - name: internal-registry +# hostname: registry.internal.example.com +# scanInterval: 12h +# credentials: +# username: ${REGISTRY_USERNAME} +# password: ${REGISTRY_PASSWORD} +# webhookPath: events +# flavor: zot + +# Namespace where discovered Component/ComponentVersion resources are created +namespace: "" + +# Webhook service for event-driven registry notifications +service: + enabled: true + type: ClusterIP + port: 8080 + +# Production resource limits +resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 50m + memory: 64Mi + +# Spread replicas across nodes for resilience +affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: app.kubernetes.io/name + operator: In + values: + - solar-discovery + topologyKey: kubernetes.io/hostname + +# CA bundle for private registry TLS trust +# Point to a ConfigMap containing your CA certificates +# (e.g., produced by trust-manager's root-bundle) +caBundle: + enabled: true + configMapName: registry-ca-bundle + key: trust-bundle.pem + +# Inject registry credentials from a Secret +# envFrom: +# - secretRef: +# name: registry-credentials + +# RBAC enabled +rbac: + create: true \ No newline at end of file diff --git a/solution-arsenal-discovery/rgd-template.yaml b/solution-arsenal-discovery/rgd-template.yaml new file mode 100644 index 0000000..4dcc94b --- /dev/null +++ b/solution-arsenal-discovery/rgd-template.yaml @@ -0,0 +1,237 @@ +apiVersion: kro.run/v1alpha1 +kind: ResourceGraphDefinition +metadata: + name: solution-arsenal-discovery-bootstrap + namespace: default +spec: + schema: + apiVersion: v1alpha1 + kind: SolutionArsenalDiscoveryBootstrap + spec: + # Component reference configuration + registry: + url: + type: string + default: "ghcr.io" + componentName: + type: string + default: "opendefense.cloud/solution-arsenal-discovery" + componentVersion: + type: string + default: "0.1.0" + + # Deployment configuration + namespace: + type: string + default: "solar-system" + + # Configuration profile selection + deploymentProfile: + type: string + enum: ["minimal", "production"] + default: "minimal" + + # Replica configuration + replicaCount: + type: integer + minimum: 1 + maximum: 10 + default: 1 + + # Webhook listener configuration + webhookServiceEnabled: + type: boolean + default: true + webhookServicePort: + type: integer + default: 8080 + + # CA bundle for TLS connections to registries + caBundleEnabled: + type: boolean + default: false + caBundleConfigMapName: + type: string + default: "" + caBundleKey: + type: string + default: "trust-bundle.pem" + + # Credentials configuration + ocmConfigSecretName: + type: string + default: "" + + resources: + # OCM Repository resource + - id: ocm-repository + apiVersion: delivery.ocm.software/v1alpha1 + kind: Repository + metadata: + name: solution-arsenal-discovery-repo + namespace: ${schema.spec.namespace} + spec: + url: oci://${schema.spec.registry.url} + secretRef: + name: ${schema.spec.ocmConfigSecretName} + + # OCM Component resource + - id: ocm-component + dependsOn: + - ocm-repository + apiVersion: delivery.ocm.software/v1alpha1 + kind: Component + metadata: + name: solution-arsenal-discovery-component + namespace: ${schema.spec.namespace} + spec: + component: ${schema.spec.componentName} + version: ${schema.spec.componentVersion} + repository: + name: solution-arsenal-discovery-repo + secretRef: + name: ${schema.spec.ocmConfigSecretName} + + # OCM Resource - Fetch Helm Chart + - id: helm-chart-resource + dependsOn: + - ocm-component + apiVersion: delivery.ocm.software/v1alpha1 + kind: Resource + metadata: + name: solution-arsenal-discovery-chart + namespace: ${schema.spec.namespace} + spec: + resource: solution-arsenal-discovery-chart + component: + name: solution-arsenal-discovery-component + secretRef: + name: ${schema.spec.ocmConfigSecretName} + + # OCM Resource - Fetch Discovery Image metadata + - id: discovery-image-resource + dependsOn: + - ocm-component + apiVersion: delivery.ocm.software/v1alpha1 + kind: Resource + metadata: + name: solution-arsenal-discovery-image + namespace: ${schema.spec.namespace} + spec: + resource: solution-arsenal-discovery-image + component: + name: solution-arsenal-discovery-component + secretRef: + name: ${schema.spec.ocmConfigSecretName} + + # OCM Resource - Fetch configuration values + - id: config-resource + dependsOn: + - ocm-component + apiVersion: delivery.ocm.software/v1alpha1 + kind: Resource + metadata: + name: solution-arsenal-discovery-config + namespace: ${schema.spec.namespace} + spec: + resource: solution-arsenal-discovery-${schema.spec.deploymentProfile}-config + component: + name: solution-arsenal-discovery-component + secretRef: + name: ${schema.spec.ocmConfigSecretName} + + # Namespace for SolutionArsenal Discovery deployment + - id: solution-arsenal-discovery-namespace + apiVersion: v1 + kind: Namespace + metadata: + name: ${schema.spec.namespace} + labels: + app.kubernetes.io/name: solution-arsenal-discovery + app.kubernetes.io/managed-by: kro + + # FluxCD OCIRepository - Watch Helm chart location + - id: oci-repository + dependsOn: + - helm-chart-resource + - solution-arsenal-discovery-namespace + apiVersion: source.toolkit.fluxcd.io/v1beta2 + kind: OCIRepository + metadata: + name: solution-arsenal-discovery-chart + namespace: ${schema.spec.namespace} + spec: + interval: 10m + url: ${resources.helmChartResource.status.access.imageReference} + ref: + tag: ${schema.spec.componentVersion} + provider: generic + secretRef: + name: ${schema.spec.ocmConfigSecretName} + + # ConfigMap with base configuration values from OCM component + - id: base-config + dependsOn: + - config-resource + - solution-arsenal-discovery-namespace + apiVersion: v1 + kind: ConfigMap + metadata: + name: solution-arsenal-discovery-base-config + namespace: ${schema.spec.namespace} + data: + values.yaml: ${resources.configResource.status.content} + + # FluxCD HelmRelease - Deploy SolutionArsenal Discovery with localized image + - id: helm-release + dependsOn: + - oci-repository + - discovery-image-resource + - base-config + apiVersion: helm.toolkit.fluxcd.io/v2 + kind: HelmRelease + metadata: + name: solution-arsenal-discovery + namespace: ${schema.spec.namespace} + spec: + interval: 10m + timeout: 10m + chart: + spec: + chart: solar-discovery + version: ${schema.spec.componentVersion} + sourceRef: + kind: OCIRepository + name: solution-arsenal-discovery-chart + namespace: ${schema.spec.namespace} + + # Merge base configuration with localized image references + valuesFrom: + - kind: ConfigMap + name: solution-arsenal-discovery-base-config + optional: false + + values: + # Override image with localized reference from OCM + replicaCount: ${schema.spec.replicaCount} + image: + repository: ${resources.discoveryImageResource.status.access.imageReference | split(":")[0]} + tag: ${resources.discoveryImageResource.status.access.imageReference | split(":")[1]} + + # Webhook service configuration + service: + enabled: ${schema.spec.webhookServiceEnabled} + type: ClusterIP + port: ${schema.spec.webhookServicePort} + + # CA bundle for registry TLS + caBundle: + enabled: ${schema.spec.caBundleEnabled} + configMapName: ${schema.spec.caBundleConfigMapName} + key: ${schema.spec.caBundleKey} + + status: + conditions: + - type: Ready + reason: AllResourcesReady + message: "All SolutionArsenal Discovery resources are deployed and ready" diff --git a/solution-arsenal/README.md b/solution-arsenal/README.md new file mode 100644 index 0000000..706ad4e --- /dev/null +++ b/solution-arsenal/README.md @@ -0,0 +1,93 @@ +# Solution Arsenal (SolAr) OCM Component + +This directory contains the OCM (Open Component Model) packaging for [Solution Arsenal (SolAr)](https://github.com/opendefensecloud/solution-arsenal), an application catalog and fleet rollout manager. + +## Component structure + +``` +solution-arsenal/ +├── bootstrap.yaml # OCM K8s Toolkit bootstrap + example CR instances +├── component-constructor.yaml # OCM component descriptor +├── minimal-values.yaml # Helm values: single-instance dev/test profile +├── production-values.yaml # Helm values: HA production profile +└── rgd-template.yaml # KRO ResourceGraphDefinition +``` + + + +## Prerequisites + +### Required +- **Kubernetes** +- **Helm** +- **cert-manager** + +### Optional +- **KRO (Kubernetes Resource Orchestrator)**: For RGD-based bootstrapping +- **OCM K8s Toolkit**: For OCM-based deployment +- **FluxCD**: For GitOps-style deployments + +## Quick start + +### 1. Build the CTF archive + +Run from the `solution-arsenal/` directory of this repo: + +```bash +ocm add componentversion --version 0.1.0 --create --file ./ctf component-constructor.yaml +``` + +### 2. Transfer to a registry + +```bash +# Public registry (replace with your org) +ocm transfer ctf --copy-local-resources ./ctf ghcr.io/your-org + +# Local registry for testing +ocm transfer ctf --copy-local-resources ./ctf localhost:5001 +``` + +The `--copy-local-resources` flag rewrites the image references inside the component to point to the target registry. The RGD picks up these rewritten references at runtime so images are pulled from the correct location. + +### 3. Edit bootstrap.yaml + +Open `bootstrap.yaml` and set the registry URL in the `Repository` resource: + +```yaml +spec: + url: oci://ghcr.io/your-org +``` + +If the registry is private, uncomment the `Secret` block and the `secretRef` fields throughout the file. + +### 4. Apply the bootstrap + +```bash +kubectl apply -f bootstrap.yaml +``` + +This creates the OCM K8s Toolkit resources that fetch the RGD and the `SolutionArsenalBootstrap` CR that triggers the actual deployment. + +### 5. Verify + +```bash +# RGD created by the deployer +kubectl get rgd solution-arsenal-bootstrap + +# CRD registered by KRO +kubectl get crd solutionarsenalbootstraps.kro.run + +# Bootstrap instance status +kubectl get solutionarsenalbootstrap -A + +# Application pods +kubectl get pods -n solar-system +``` + + +## Resources + +- [Solution Arsenal repository](https://github.com/opendefensecloud/solution-arsenal) +- [SolAr documentation](https://solar.opendefense.cloud) +- [OCM specification](https://ocm.software) +- [KRO documentation](https://kro.run) diff --git a/solution-arsenal/bootstrap.yaml b/solution-arsenal/bootstrap.yaml new file mode 100644 index 0000000..5e43deb --- /dev/null +++ b/solution-arsenal/bootstrap.yaml @@ -0,0 +1,159 @@ +--- +# Bootstrap configuration for SolutionArsenal component deployment +# This file uses OCM K8s Toolkit to fetch and deploy the ResourceGraphDefinition +# from the OCM component, enabling self-contained deployment with automatic +# image localization when components are transferred between registries. + +apiVersion: v1 +kind: Namespace +metadata: + name: ocm-system +--- +# Optional: Secret for private registry access +# Uncomment and configure if using a private OCI registry +# apiVersion: v1 +# kind: Secret +# metadata: +# name: ocm-registry-credentials +# namespace: ocm-system +# type: kubernetes.io/dockerconfigjson +# data: +# .dockerconfigjson: +--- +# OCM Repository - Points to the OCI registry containing OCM components +apiVersion: delivery.ocm.software/v1alpha1 +kind: Repository +metadata: + name: solution-arsenal-repo + namespace: ocm-system +spec: + # Replace with your OCM registry URL + url: oci://ghcr.io/your-org/ocm-components + # Optional: Reference secret for private registry access + # secretRef: + # name: ocm-registry-credentials +--- +# OCM Component - References the specific SolutionArsenal component +apiVersion: delivery.ocm.software/v1alpha1 +kind: Component +metadata: + name: solution-arsenal-component + namespace: ocm-system +spec: + component: opendefense.cloud/solution-arsenal + version: 0.1.0 + repository: + name: solution-arsenal-repo + # Optional: Reference secret for private registry access + # secretRef: + # name: ocm-registry-credentials +--- +# OCM Resource - Fetches the ResourceGraphDefinition from the component +apiVersion: delivery.ocm.software/v1alpha1 +kind: Resource +metadata: + name: solution-arsenal-rgd + namespace: ocm-system +spec: + resource: solution-arsenal-rgd + component: + name: solution-arsenal-component + # Optional: Reference secret for private registry access + # secretRef: + # name: ocm-registry-credentials +--- +# OCM Deployer - Applies the RGD content to the cluster +# Note: This is a cluster-scoped operation that creates the RGD CRD +apiVersion: delivery.ocm.software/v1alpha1 +kind: Deployer +metadata: + name: solution-arsenal-rgd-deployer + namespace: ocm-system +spec: + resource: + name: solution-arsenal-rgd + # Optional: Reference secret for private registry access + # secretRef: + # name: ocm-registry-credentials +--- +# Example SolutionArsenal Bootstrap instance - Minimal configuration +# This creates an actual deployment using the RGD +apiVersion: v1alpha1 +kind: SolutionArsenalBootstrap +metadata: + name: solution-arsenal-minimal + namespace: default +spec: + # Registry configuration + registry: + url: ghcr.io # Replace with your registry if using a private one + + # Component reference + componentName: opendefense.cloud/solution-arsenal + componentVersion: 0.1.0 + + # Deployment configuration + namespace: solar-system + + # Use minimal profile for development/testing + deploymentProfile: minimal + + # Replica configuration for minimal setup + apiServerReplicas: 1 + controllerReplicas: 1 + etcdReplicas: 1 + + # etcd storage configuration + etcdStorageSize: 1Gi + # etcdStorageClass: "" # Leave empty to use default storage class + + # cert-manager required for TLS + certManagerEnabled: true + + # Monitoring disabled for minimal profile + metricsEnabled: false + prometheusEnabled: false + + # Optional: Reference to OCM config secret for private registries + # ocmConfigSecretName: ocm-registry-credentials +--- +# Example SolutionArsenal Bootstrap instance - Production configuration +# Uncomment to deploy a production-grade HA setup +# apiVersion: v1alpha1 +# kind: SolutionArsenalBootstrap +# metadata: +# name: solution-arsenal-production +# namespace: default +# spec: +# # Registry configuration +# registry: +# url: ghcr.io +# +# # Component reference +# componentName: opendefense.cloud/solution-arsenal +# componentVersion: 0.1.0 +# +# # Deployment configuration +# namespace: solution-arsenal-system +# +# # Use production profile for HA setup +# deploymentProfile: production +# +# # High availability with 3 replicas for each component +# apiServerReplicas: 3 +# controllerReplicas: 3 +# etcdReplicas: 3 +# +# # etcd storage configuration +# etcdStorageSize: 20Gi +# etcdStorageClass: fast-ssd # Use your high-performance storage class +# +# # cert-manager required for TLS +# certManagerEnabled: true +# +# # Monitoring enabled for production +# metricsEnabled: true +# prometheusEnabled: true +# +# # Optional: Reference to OCM config secret for private registries +# # ocmConfigSecretName: ocm-registry-credentials diff --git a/solution-arsenal/component-constructor.yaml b/solution-arsenal/component-constructor.yaml new file mode 100644 index 0000000..1e8c990 --- /dev/null +++ b/solution-arsenal/component-constructor.yaml @@ -0,0 +1,80 @@ +components: + - name: opendefense.cloud/solution-arsenal + provider: + name: opendefense.cloud + labels: + - name: app.kubernetes.io/name + value: solution-arsenal + - name: app.kubernetes.io/component + value: solution-catalog + - name: app.kubernetes.io/part-of + value: solution-arsenal + resources: + # ResourceGraphDefinition for KRO bootstrapping + - name: solution-arsenal-rgd + type: yaml + relation: local + input: + type: file + path: rgd-template.yaml + + # SolutionArsenal Helm Chart (local) + - name: solution-arsenal-chart + type: helmChart + version: v0.1.0 + relation: external + access: + type: ociArtifact + imageReference: ghcr.io/opendefensecloud/charts/solar:0.1.1 + + # API Server Container Image + - name: solution-arsenal-apiserver-image + type: ociImage + version: v0.1.0 + relation: external + access: + type: ociArtifact + imageReference: ghcr.io/opendefensecloud/solar-apiserver:0.1.1 + + # Controller Manager Container Image + - name: solution-arsenal-controller-manager-image + type: ociImage + version: v0.1.0 + relation: external + access: + type: ociArtifact + imageReference: ghcr.io/opendefensecloud/solar-controller-manager:0.1.1 + + # Renderer Container Image + - name: solution-arsenal-renderer-image + type: ociImage + version: 0.1.0 + relation: external + access: + type: ociArtifact + imageReference: ghcr.io/opendefensecloud/solar-renderer:0.1.1 + + # etcd Container Image + - name: etcd-image + type: ociImage + version: v3.6.10 + relation: external + access: + type: ociArtifact + imageReference: quay.io/coreos/etcd:v3.6.10 + + # Minimal Configuration (single instance, development) + - name: solution-arsenal-minimal-config + type: yaml + relation: local + input: + type: file + path: minimal-values.yaml + + # Production Configuration (HA with replicas, metrics enabled) + - name: solution-arsenal-production-config + type: yaml + relation: local + input: + type: file + path: production-values.yaml diff --git a/solution-arsenal/minimal-values.yaml b/solution-arsenal/minimal-values.yaml new file mode 100644 index 0000000..9e77b46 --- /dev/null +++ b/solution-arsenal/minimal-values.yaml @@ -0,0 +1,100 @@ +# Minimal SolutionArsenal Configuration +# Single-instance setup suitable for: +# - Development environments +# - Testing and evaluation +# - Resource-constrained environments (kind, minikube) +# - Non-HA scenarios + +# API Server - single instance, minimal resources +apiserver: + enabled: true + replicaCount: 1 + + image: + repository: ghcr.io/opendefensecloud/solar-apiserver + tag: latest + pullPolicy: IfNotPresent + + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 10m + memory: 64Mi + + service: + type: ClusterIP + port: 443 + +# Renderer - minimal resources +renderer: + image: + repository: ghcr.io/opendefensecloud/solar-renderer + tag: latest + +# Controller Manager - single instance, leader election disabled +controller: + enabled: true + replicaCount: 1 + + image: + repository: ghcr.io/opendefensecloud/solar-controller-manager + tag: latest + pullPolicy: IfNotPresent + + args: + healthProbeBindAddress: ":8081" + metricsBindAddress: "0" + metricsSecure: true + enableHTTP2: false + leaderElect: false + + metrics: + enabled: false + + resources: + limits: + cpu: 300m + memory: 128Mi + requests: + cpu: 100m + memory: 64Mi + +# etcd - single instance, minimal storage +etcd: + enabled: true + replicaCount: 1 + + image: + repository: quay.io/coreos/etcd + tag: v3.6.10 + pullPolicy: IfNotPresent + + persistence: + enabled: true + size: 1Gi + storageClass: "" + + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 10m + memory: 64Mi + +# cert-manager integration - self-signed issuer +certManager: + enabled: true + issuer: + create: true + kind: Issuer + selfSigned: true + certificate: + duration: 2160h # 90 days + renewBefore: 720h # 30 days + +# RBAC enabled +rbac: + create: true diff --git a/solution-arsenal/production-values.yaml b/solution-arsenal/production-values.yaml new file mode 100644 index 0000000..fe9ebe5 --- /dev/null +++ b/solution-arsenal/production-values.yaml @@ -0,0 +1,176 @@ +# Production SolutionArsenal Configuration +# Highly-available setup suitable for: +# - Production environments +# - Mission-critical workloads +# - Enterprise deployments + +# API Server - 3 replicas, HA with anti-affinity +apiserver: + enabled: true + replicaCount: 3 + + image: + repository: ghcr.io/opendefensecloud/solar-apiserver + tag: latest + pullPolicy: IfNotPresent + + resources: + limits: + cpu: 1000m + memory: 512Mi + requests: + cpu: 250m + memory: 256Mi + + service: + type: ClusterIP + port: 443 + + # Spread replicas across nodes + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: app.kubernetes.io/name + operator: In + values: + - solar + - key: app.kubernetes.io/component + operator: In + values: + - apiserver + topologyKey: kubernetes.io/hostname + +# Renderer - production resources +renderer: + image: + repository: ghcr.io/opendefensecloud/solar-renderer + tag: latest + +# Controller Manager - 3 replicas, leader election enabled +controller: + enabled: true + replicaCount: 3 + + image: + repository: ghcr.io/opendefensecloud/solar-controller-manager + tag: latest + pullPolicy: IfNotPresent + + args: + healthProbeBindAddress: ":8081" + metricsBindAddress: ":8443" + metricsSecure: true + enableHTTP2: false + leaderElect: true + + # Enable metrics for production monitoring + metrics: + enabled: true + service: + type: ClusterIP + port: 8443 + certManager: + enabled: true + serviceMonitor: + enabled: true + interval: 30s + scrapeTimeout: 10s + additionalLabels: + release: prometheus + + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 200m + memory: 128Mi + + # Spread replicas across nodes + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: app.kubernetes.io/name + operator: In + values: + - solar + - key: app.kubernetes.io/component + operator: In + values: + - controller-manager + topologyKey: kubernetes.io/hostname + +# etcd - 3 replicas, production storage +etcd: + enabled: true + replicaCount: 3 + + image: + repository: quay.io/coreos/etcd + tag: v3.6.10 + pullPolicy: IfNotPresent + + persistence: + enabled: true + size: 20Gi + # storageClass: "fast-ssd" # Uncomment and set to your high-performance storage class + storageClass: "" + + resources: + limits: + cpu: 1000m + memory: 512Mi + requests: + cpu: 250m + memory: 256Mi + + # Spread replicas across nodes + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: app.kubernetes.io/name + operator: In + values: + - solar + - key: app.kubernetes.io/component + operator: In + values: + - etcd + topologyKey: kubernetes.io/hostname + +# cert-manager integration - ClusterIssuer for production +certManager: + enabled: true + issuer: + create: true + kind: ClusterIssuer + selfSigned: true + # Alternative: Use CA issuer if you have an internal CA + # ca: + # enabled: true + # secretName: "ca-key-pair" + # Alternative: Use Let's Encrypt ACME for public certificates + # acme: + # enabled: true + # server: "https://acme-v02.api.letsencrypt.org/directory" + # email: "admin@example.com" + # privateKeySecretRef: "letsencrypt-production" + certificate: + duration: 8760h # 1 year + renewBefore: 2160h # 90 days + +# RBAC enabled +rbac: + create: true diff --git a/solution-arsenal/rgd-template.yaml b/solution-arsenal/rgd-template.yaml new file mode 100644 index 0000000..885c045 --- /dev/null +++ b/solution-arsenal/rgd-template.yaml @@ -0,0 +1,320 @@ +apiVersion: kro.run/v1alpha1 +kind: ResourceGraphDefinition +metadata: + name: solution-arsenal-bootstrap + namespace: default +spec: + schema: + apiVersion: v1alpha1 + kind: SolutionArsenalBootstrap + spec: + # Component reference configuration + registry: + url: + type: string + default: "ghcr.io" + componentName: + type: string + default: "opendefense.cloud/solution-arsenal" + componentVersion: + type: string + default: "0.1.0" + + # Deployment configuration + namespace: + type: string + default: "solar-system" + + # Configuration profile selection + deploymentProfile: + type: string + enum: ["minimal", "production"] + default: "minimal" + + # API Server configuration + apiServerReplicas: + type: integer + minimum: 1 + maximum: 10 + default: 1 + + # Controller Manager configuration + controllerReplicas: + type: integer + minimum: 1 + maximum: 10 + default: 1 + + # etcd configuration + etcdReplicas: + type: integer + minimum: 1 + maximum: 10 + default: 1 + etcdStorageSize: + type: string + default: "1Gi" + etcdStorageClass: + type: string + default: "" + + # Metrics / monitoring configuration + metricsEnabled: + type: boolean + default: false + prometheusEnabled: + type: boolean + default: false + + # cert-manager integration + certManagerEnabled: + type: boolean + default: true + + # Credentials configuration + ocmConfigSecretName: + type: string + default: "" + + resources: + # OCM Repository resource + - id: ocm-repository + apiVersion: delivery.ocm.software/v1alpha1 + kind: Repository + metadata: + name: solution-arsenal-repo + namespace: ${schema.spec.namespace} + spec: + url: oci://${schema.spec.registry.url} + secretRef: + name: ${schema.spec.ocmConfigSecretName} + + # OCM Component resource + - id: ocm-component + dependsOn: + - ocm-repository + apiVersion: delivery.ocm.software/v1alpha1 + kind: Component + metadata: + name: solution-arsenal-component + namespace: ${schema.spec.namespace} + spec: + component: ${schema.spec.componentName} + version: ${schema.spec.componentVersion} + repository: + name: solution-arsenal-repo + secretRef: + name: ${schema.spec.ocmConfigSecretName} + + # OCM Resource - Fetch Helm Chart + - id: helm-chart-resource + dependsOn: + - ocm-component + apiVersion: delivery.ocm.software/v1alpha1 + kind: Resource + metadata: + name: solution-arsenal-chart + namespace: ${schema.spec.namespace} + spec: + resource: solution-arsenal-chart + component: + name: solution-arsenal-component + secretRef: + name: ${schema.spec.ocmConfigSecretName} + + # OCM Resource - Fetch API Server Image metadata + - id: apiserver-image-resource + dependsOn: + - ocm-component + apiVersion: delivery.ocm.software/v1alpha1 + kind: Resource + metadata: + name: solution-arsenal-apiserver-image + namespace: ${schema.spec.namespace} + spec: + resource: solution-arsenal-apiserver-image + component: + name: solution-arsenal-component + secretRef: + name: ${schema.spec.ocmConfigSecretName} + + # OCM Resource - Fetch Controller Manager Image metadata + - id: controller-image-resource + dependsOn: + - ocm-component + apiVersion: delivery.ocm.software/v1alpha1 + kind: Resource + metadata: + name: solution-arsenal-controller-image + namespace: ${schema.spec.namespace} + spec: + resource: solution-arsenal-controller-manager-image + component: + name: solution-arsenal-component + secretRef: + name: ${schema.spec.ocmConfigSecretName} + + # OCM Resource - Fetch Renderer Image metadata + - id: renderer-image-resource + dependsOn: + - ocm-component + apiVersion: delivery.ocm.software/v1alpha1 + kind: Resource + metadata: + name: solution-arsenal-renderer-image + namespace: ${schema.spec.namespace} + spec: + resource: solution-arsenal-renderer-image + component: + name: solution-arsenal-component + secretRef: + name: ${schema.spec.ocmConfigSecretName} + + # OCM Resource - Fetch etcd Image metadata + - id: etcd-image-resource + dependsOn: + - ocm-component + apiVersion: delivery.ocm.software/v1alpha1 + kind: Resource + metadata: + name: solution-arsenal-etcd-image + namespace: ${schema.spec.namespace} + spec: + resource: etcd-image + component: + name: solution-arsenal-component + secretRef: + name: ${schema.spec.ocmConfigSecretName} + + # OCM Resource - Fetch configuration values + - id: config-resource + dependsOn: + - ocm-component + apiVersion: delivery.ocm.software/v1alpha1 + kind: Resource + metadata: + name: solution-arsenal-config + namespace: ${schema.spec.namespace} + spec: + resource: solution-arsenal-${schema.spec.deploymentProfile}-config + component: + name: solution-arsenal-component + secretRef: + name: ${schema.spec.ocmConfigSecretName} + + # Namespace for SolutionArsenal deployment + - id: solution-arsenal-namespace + apiVersion: v1 + kind: Namespace + metadata: + name: ${schema.spec.namespace} + labels: + app.kubernetes.io/name: solution-arsenal + app.kubernetes.io/managed-by: kro + + # FluxCD OCIRepository - Watch Helm chart location + - id: oci-repository + dependsOn: + - helm-chart-resource + - solution-arsenal-namespace + apiVersion: source.toolkit.fluxcd.io/v1beta2 + kind: OCIRepository + metadata: + name: solution-arsenal-chart + namespace: ${schema.spec.namespace} + spec: + interval: 10m + url: ${resources.helmChartResource.status.access.imageReference} + ref: + tag: ${schema.spec.componentVersion} + provider: generic + secretRef: + name: ${schema.spec.ocmConfigSecretName} + + # ConfigMap with base configuration values from OCM component + - id: base-config + dependsOn: + - config-resource + - solution-arsenal-namespace + apiVersion: v1 + kind: ConfigMap + metadata: + name: solution-arsenal-base-config + namespace: ${schema.spec.namespace} + data: + values.yaml: ${resources.configResource.status.content} + + # FluxCD HelmRelease - Deploy SolutionArsenal with localized images + - id: helm-release + dependsOn: + - oci-repository + - apiserver-image-resource + - controller-image-resource + - renderer-image-resource + - etcd-image-resource + - base-config + apiVersion: helm.toolkit.fluxcd.io/v2 + kind: HelmRelease + metadata: + name: solution-arsenal + namespace: ${schema.spec.namespace} + spec: + interval: 10m + timeout: 10m + chart: + spec: + chart: solar + version: ${schema.spec.componentVersion} + sourceRef: + kind: OCIRepository + name: solution-arsenal-chart + namespace: ${schema.spec.namespace} + + # Merge base configuration with localized image references + valuesFrom: + - kind: ConfigMap + name: solution-arsenal-base-config + optional: false + + values: + # Override images with localized references from OCM + apiserver: + replicaCount: ${schema.spec.apiServerReplicas} + image: + repository: ${resources.apiserverImageResource.status.access.imageReference | split(":")[0]} + tag: ${resources.apiserverImageResource.status.access.imageReference | split(":")[1]} + + renderer: + image: + repository: ${resources.rendererImageResource.status.access.imageReference | split(":")[0]} + tag: ${resources.rendererImageResource.status.access.imageReference | split(":")[1]} + + controller: + replicaCount: ${schema.spec.controllerReplicas} + image: + repository: ${resources.controllerImageResource.status.access.imageReference | split(":")[0]} + tag: ${resources.controllerImageResource.status.access.imageReference | split(":")[1]} + args: + leaderElect: ${schema.spec.controllerReplicas > 1} + metrics: + enabled: ${schema.spec.metricsEnabled} + serviceMonitor: + enabled: ${schema.spec.prometheusEnabled} + + etcd: + replicaCount: ${schema.spec.etcdReplicas} + image: + repository: ${resources.etcdImageResource.status.access.imageReference | split(":")[0]} + tag: ${resources.etcdImageResource.status.access.imageReference | split(":")[1]} + persistence: + size: ${schema.spec.etcdStorageSize} + storageClass: ${schema.spec.etcdStorageClass} + + certManager: + enabled: ${schema.spec.certManagerEnabled} + + status: + conditions: + - type: Ready + reason: AllResourcesReady + message: "All SolutionArsenal resources are deployed and ready" From 77bc657b4921dd70faf211ffcbc4f9cd0922c5a3 Mon Sep 17 00:00:00 2001 From: Doreen Seider Date: Tue, 28 Apr 2026 22:07:40 +0200 Subject: [PATCH 2/3] Remove kro RGDs from solar components --- solution-arsenal-discovery/README.md | 42 --- solution-arsenal-discovery/bootstrap.yaml | 149 -------- .../component-constructor.yaml | 10 +- solution-arsenal-discovery/rgd-template.yaml | 237 ------------- solution-arsenal/README.md | 46 --- solution-arsenal/bootstrap.yaml | 159 --------- solution-arsenal/rgd-template.yaml | 320 ------------------ 7 files changed, 1 insertion(+), 962 deletions(-) delete mode 100644 solution-arsenal-discovery/bootstrap.yaml delete mode 100644 solution-arsenal-discovery/rgd-template.yaml delete mode 100644 solution-arsenal/bootstrap.yaml delete mode 100644 solution-arsenal/rgd-template.yaml diff --git a/solution-arsenal-discovery/README.md b/solution-arsenal-discovery/README.md index c739efe..e392249 100644 --- a/solution-arsenal-discovery/README.md +++ b/solution-arsenal-discovery/README.md @@ -6,11 +6,9 @@ This directory contains the OCM (Open Component Model) packaging for [SolAr Disc ``` solution-arsenal-discovery/ -├── bootstrap.yaml # OCM K8s Toolkit bootstrap + example CR instances ├── component-constructor.yaml # OCM component descriptor ├── minimal-values.yaml # Helm values: single-instance dev/test profile ├── production-values.yaml # Helm values: HA production profile -└── rgd-template.yaml # KRO ResourceGraphDefinition ``` ## Prerequisites @@ -19,10 +17,6 @@ solution-arsenal-discovery/ - **Kubernetes** - **Helm** -### Optional -- **KRO (Kubernetes Resource Orchestrator)**: For RGD-based bootstrapping -- **OCM K8s Toolkit**: For OCM-based deployment -- **FluxCD**: For GitOps-style deployments ## Quick start @@ -46,44 +40,8 @@ ocm transfer ctf --copy-local-resources ./ctf localhost:5001 The `--copy-local-resources` flag rewrites the image references inside the component to point to the target registry. The RGD picks up these rewritten references at runtime so images are pulled from the correct location. -### 3. Edit bootstrap.yaml - -Open `bootstrap.yaml` and set the registry URL in the `Repository` resource: - -```yaml -spec: - url: oci://ghcr.io/your-org -``` - -If the registry is private, uncomment the `Secret` block and the `secretRef` fields throughout the file. - -### 4. Apply the bootstrap - -```bash -kubectl apply -f bootstrap.yaml -``` - -This creates the OCM K8s Toolkit resources that fetch the RGD and the `SolutionArsenalDiscoveryBootstrap` CR that triggers the actual deployment. - -### 5. Verify - -```bash -# RGD created by the deployer -kubectl get rgd solution-arsenal-discovery-bootstrap - -# CRD registered by KRO -kubectl get crd solutionarsenaldiscoverybootstraps.kro.run - -# Bootstrap instance status -kubectl get solutionarsenaldiscoverybootstrap -A - -# Application pods -kubectl get pods -n solution-arsenal-system -``` - ## Resources - [Solution Arsenal repository](https://github.com/opendefensecloud/solution-arsenal) - [SolAr documentation](https://solar.opendefense.cloud) - [OCM specification](https://ocm.software) -- [KRO documentation](https://kro.run) diff --git a/solution-arsenal-discovery/bootstrap.yaml b/solution-arsenal-discovery/bootstrap.yaml deleted file mode 100644 index f489418..0000000 --- a/solution-arsenal-discovery/bootstrap.yaml +++ /dev/null @@ -1,149 +0,0 @@ ---- -# Bootstrap configuration for SolutionArsenal Discovery component deployment -# This file uses OCM K8s Toolkit to fetch and deploy the ResourceGraphDefinition -# from the OCM component, enabling self-contained deployment with automatic -# image localization when components are transferred between registries. - -apiVersion: v1 -kind: Namespace -metadata: - name: ocm-system ---- -# Optional: Secret for private registry access -# Uncomment and configure if using a private OCI registry -# apiVersion: v1 -# kind: Secret -# metadata: -# name: ocm-registry-credentials -# namespace: ocm-system -# type: kubernetes.io/dockerconfigjson -# data: -# .dockerconfigjson: ---- -# OCM Repository - Points to the OCI registry containing OCM components -apiVersion: delivery.ocm.software/v1alpha1 -kind: Repository -metadata: - name: solution-arsenal-discovery-repo - namespace: ocm-system -spec: - # Replace with your OCM registry URL - url: oci://ghcr.io/your-org/ocm-components - # Optional: Reference secret for private registry access - # secretRef: - # name: ocm-registry-credentials ---- -# OCM Component - References the specific SolutionArsenal Discovery component -apiVersion: delivery.ocm.software/v1alpha1 -kind: Component -metadata: - name: solution-arsenal-discovery-component - namespace: ocm-system -spec: - component: opendefense.cloud/solution-arsenal-discovery - version: 0.1.0 - repository: - name: solution-arsenal-discovery-repo - # Optional: Reference secret for private registry access - # secretRef: - # name: ocm-registry-credentials ---- -# OCM Resource - Fetches the ResourceGraphDefinition from the component -apiVersion: delivery.ocm.software/v1alpha1 -kind: Resource -metadata: - name: solution-arsenal-discovery-rgd - namespace: ocm-system -spec: - resource: solution-arsenal-discovery-rgd - component: - name: solution-arsenal-discovery-component - # Optional: Reference secret for private registry access - # secretRef: - # name: ocm-registry-credentials ---- -# OCM Deployer - Applies the RGD content to the cluster -# Note: This is a cluster-scoped operation that creates the RGD CRD -apiVersion: delivery.ocm.software/v1alpha1 -kind: Deployer -metadata: - name: solution-arsenal-discovery-rgd-deployer - namespace: ocm-system -spec: - resource: - name: solution-arsenal-discovery-rgd - # Optional: Reference secret for private registry access - # secretRef: - # name: ocm-registry-credentials ---- -# Example SolutionArsenal Discovery Bootstrap instance - Minimal configuration -# Deploys a single scanner instance in scan-only mode -apiVersion: v1alpha1 -kind: SolutionArsenalDiscoveryBootstrap -metadata: - name: solution-arsenal-discovery-minimal - namespace: default -spec: - # Registry configuration - registry: - url: ghcr.io # Replace with your registry if using a private one - - # Component reference - componentName: opendefense.cloud/solution-arsenal-discovery - componentVersion: 0.1.0 - - # Deployment configuration - namespace: solar-system - - # Use minimal profile for development/testing - deploymentProfile: minimal - - # Single replica for minimal setup - replicaCount: 1 - - # Webhook service enabled (but no registries configured yet) - webhookServiceEnabled: true - webhookServicePort: 8080 - - # CA bundle disabled for minimal setup - caBundleEnabled: false - - # Optional: Reference to OCM config secret for private registries - # ocmConfigSecretName: ocm-registry-credentials ---- -# Example SolutionArsenal Discovery Bootstrap instance - Production configuration -# Uncomment to deploy a production-grade setup with anti-affinity -# apiVersion: v1alpha1 -# kind: SolutionArsenalDiscoveryBootstrap -# metadata: -# name: solution-arsenal-discovery-production -# namespace: default -# spec: -# # Registry configuration -# registry: -# url: ghcr.io -# -# # Component reference -# componentName: opendefense.cloud/solution-arsenal-discovery -# componentVersion: 0.1.0 -# -# # Deployment configuration -# namespace: solution-arsenal-system -# -# # Use production profile -# deploymentProfile: production -# -# # 2 replicas for redundancy -# replicaCount: 2 -# -# # Webhook listener enabled for event-driven discovery -# webhookServiceEnabled: true -# webhookServicePort: 8080 -# -# # CA bundle for private registry TLS -# caBundleEnabled: true -# caBundleConfigMapName: registry-ca-bundle -# caBundleKey: trust-bundle.pem -# -# # Optional: Reference to OCM config secret for private registries -# # ocmConfigSecretName: ocm-registry-credentials diff --git a/solution-arsenal-discovery/component-constructor.yaml b/solution-arsenal-discovery/component-constructor.yaml index f15a3c0..4192868 100644 --- a/solution-arsenal-discovery/component-constructor.yaml +++ b/solution-arsenal-discovery/component-constructor.yaml @@ -10,15 +10,7 @@ components: - name: app.kubernetes.io/part-of value: solution-arsenal resources: - # ResourceGraphDefinition for KRO bootstrapping - - name: solution-arsenal-discovery-rgd - type: yaml - relation: local - input: - type: file - path: rgd-template.yaml - - # SolutionArsenal Discovery Helm Chart (local) + # SolutionArsenal Discovery Helm Chart - name: solution-arsenal-discovery-chart type: helmChart version: v0.1.0 diff --git a/solution-arsenal-discovery/rgd-template.yaml b/solution-arsenal-discovery/rgd-template.yaml deleted file mode 100644 index 4dcc94b..0000000 --- a/solution-arsenal-discovery/rgd-template.yaml +++ /dev/null @@ -1,237 +0,0 @@ -apiVersion: kro.run/v1alpha1 -kind: ResourceGraphDefinition -metadata: - name: solution-arsenal-discovery-bootstrap - namespace: default -spec: - schema: - apiVersion: v1alpha1 - kind: SolutionArsenalDiscoveryBootstrap - spec: - # Component reference configuration - registry: - url: - type: string - default: "ghcr.io" - componentName: - type: string - default: "opendefense.cloud/solution-arsenal-discovery" - componentVersion: - type: string - default: "0.1.0" - - # Deployment configuration - namespace: - type: string - default: "solar-system" - - # Configuration profile selection - deploymentProfile: - type: string - enum: ["minimal", "production"] - default: "minimal" - - # Replica configuration - replicaCount: - type: integer - minimum: 1 - maximum: 10 - default: 1 - - # Webhook listener configuration - webhookServiceEnabled: - type: boolean - default: true - webhookServicePort: - type: integer - default: 8080 - - # CA bundle for TLS connections to registries - caBundleEnabled: - type: boolean - default: false - caBundleConfigMapName: - type: string - default: "" - caBundleKey: - type: string - default: "trust-bundle.pem" - - # Credentials configuration - ocmConfigSecretName: - type: string - default: "" - - resources: - # OCM Repository resource - - id: ocm-repository - apiVersion: delivery.ocm.software/v1alpha1 - kind: Repository - metadata: - name: solution-arsenal-discovery-repo - namespace: ${schema.spec.namespace} - spec: - url: oci://${schema.spec.registry.url} - secretRef: - name: ${schema.spec.ocmConfigSecretName} - - # OCM Component resource - - id: ocm-component - dependsOn: - - ocm-repository - apiVersion: delivery.ocm.software/v1alpha1 - kind: Component - metadata: - name: solution-arsenal-discovery-component - namespace: ${schema.spec.namespace} - spec: - component: ${schema.spec.componentName} - version: ${schema.spec.componentVersion} - repository: - name: solution-arsenal-discovery-repo - secretRef: - name: ${schema.spec.ocmConfigSecretName} - - # OCM Resource - Fetch Helm Chart - - id: helm-chart-resource - dependsOn: - - ocm-component - apiVersion: delivery.ocm.software/v1alpha1 - kind: Resource - metadata: - name: solution-arsenal-discovery-chart - namespace: ${schema.spec.namespace} - spec: - resource: solution-arsenal-discovery-chart - component: - name: solution-arsenal-discovery-component - secretRef: - name: ${schema.spec.ocmConfigSecretName} - - # OCM Resource - Fetch Discovery Image metadata - - id: discovery-image-resource - dependsOn: - - ocm-component - apiVersion: delivery.ocm.software/v1alpha1 - kind: Resource - metadata: - name: solution-arsenal-discovery-image - namespace: ${schema.spec.namespace} - spec: - resource: solution-arsenal-discovery-image - component: - name: solution-arsenal-discovery-component - secretRef: - name: ${schema.spec.ocmConfigSecretName} - - # OCM Resource - Fetch configuration values - - id: config-resource - dependsOn: - - ocm-component - apiVersion: delivery.ocm.software/v1alpha1 - kind: Resource - metadata: - name: solution-arsenal-discovery-config - namespace: ${schema.spec.namespace} - spec: - resource: solution-arsenal-discovery-${schema.spec.deploymentProfile}-config - component: - name: solution-arsenal-discovery-component - secretRef: - name: ${schema.spec.ocmConfigSecretName} - - # Namespace for SolutionArsenal Discovery deployment - - id: solution-arsenal-discovery-namespace - apiVersion: v1 - kind: Namespace - metadata: - name: ${schema.spec.namespace} - labels: - app.kubernetes.io/name: solution-arsenal-discovery - app.kubernetes.io/managed-by: kro - - # FluxCD OCIRepository - Watch Helm chart location - - id: oci-repository - dependsOn: - - helm-chart-resource - - solution-arsenal-discovery-namespace - apiVersion: source.toolkit.fluxcd.io/v1beta2 - kind: OCIRepository - metadata: - name: solution-arsenal-discovery-chart - namespace: ${schema.spec.namespace} - spec: - interval: 10m - url: ${resources.helmChartResource.status.access.imageReference} - ref: - tag: ${schema.spec.componentVersion} - provider: generic - secretRef: - name: ${schema.spec.ocmConfigSecretName} - - # ConfigMap with base configuration values from OCM component - - id: base-config - dependsOn: - - config-resource - - solution-arsenal-discovery-namespace - apiVersion: v1 - kind: ConfigMap - metadata: - name: solution-arsenal-discovery-base-config - namespace: ${schema.spec.namespace} - data: - values.yaml: ${resources.configResource.status.content} - - # FluxCD HelmRelease - Deploy SolutionArsenal Discovery with localized image - - id: helm-release - dependsOn: - - oci-repository - - discovery-image-resource - - base-config - apiVersion: helm.toolkit.fluxcd.io/v2 - kind: HelmRelease - metadata: - name: solution-arsenal-discovery - namespace: ${schema.spec.namespace} - spec: - interval: 10m - timeout: 10m - chart: - spec: - chart: solar-discovery - version: ${schema.spec.componentVersion} - sourceRef: - kind: OCIRepository - name: solution-arsenal-discovery-chart - namespace: ${schema.spec.namespace} - - # Merge base configuration with localized image references - valuesFrom: - - kind: ConfigMap - name: solution-arsenal-discovery-base-config - optional: false - - values: - # Override image with localized reference from OCM - replicaCount: ${schema.spec.replicaCount} - image: - repository: ${resources.discoveryImageResource.status.access.imageReference | split(":")[0]} - tag: ${resources.discoveryImageResource.status.access.imageReference | split(":")[1]} - - # Webhook service configuration - service: - enabled: ${schema.spec.webhookServiceEnabled} - type: ClusterIP - port: ${schema.spec.webhookServicePort} - - # CA bundle for registry TLS - caBundle: - enabled: ${schema.spec.caBundleEnabled} - configMapName: ${schema.spec.caBundleConfigMapName} - key: ${schema.spec.caBundleKey} - - status: - conditions: - - type: Ready - reason: AllResourcesReady - message: "All SolutionArsenal Discovery resources are deployed and ready" diff --git a/solution-arsenal/README.md b/solution-arsenal/README.md index 706ad4e..ae931d2 100644 --- a/solution-arsenal/README.md +++ b/solution-arsenal/README.md @@ -6,15 +6,11 @@ This directory contains the OCM (Open Component Model) packaging for [Solution A ``` solution-arsenal/ -├── bootstrap.yaml # OCM K8s Toolkit bootstrap + example CR instances ├── component-constructor.yaml # OCM component descriptor ├── minimal-values.yaml # Helm values: single-instance dev/test profile ├── production-values.yaml # Helm values: HA production profile -└── rgd-template.yaml # KRO ResourceGraphDefinition ``` - - ## Prerequisites ### Required @@ -22,11 +18,6 @@ solution-arsenal/ - **Helm** - **cert-manager** -### Optional -- **KRO (Kubernetes Resource Orchestrator)**: For RGD-based bootstrapping -- **OCM K8s Toolkit**: For OCM-based deployment -- **FluxCD**: For GitOps-style deployments - ## Quick start ### 1. Build the CTF archive @@ -49,45 +40,8 @@ ocm transfer ctf --copy-local-resources ./ctf localhost:5001 The `--copy-local-resources` flag rewrites the image references inside the component to point to the target registry. The RGD picks up these rewritten references at runtime so images are pulled from the correct location. -### 3. Edit bootstrap.yaml - -Open `bootstrap.yaml` and set the registry URL in the `Repository` resource: - -```yaml -spec: - url: oci://ghcr.io/your-org -``` - -If the registry is private, uncomment the `Secret` block and the `secretRef` fields throughout the file. - -### 4. Apply the bootstrap - -```bash -kubectl apply -f bootstrap.yaml -``` - -This creates the OCM K8s Toolkit resources that fetch the RGD and the `SolutionArsenalBootstrap` CR that triggers the actual deployment. - -### 5. Verify - -```bash -# RGD created by the deployer -kubectl get rgd solution-arsenal-bootstrap - -# CRD registered by KRO -kubectl get crd solutionarsenalbootstraps.kro.run - -# Bootstrap instance status -kubectl get solutionarsenalbootstrap -A - -# Application pods -kubectl get pods -n solar-system -``` - - ## Resources - [Solution Arsenal repository](https://github.com/opendefensecloud/solution-arsenal) - [SolAr documentation](https://solar.opendefense.cloud) - [OCM specification](https://ocm.software) -- [KRO documentation](https://kro.run) diff --git a/solution-arsenal/bootstrap.yaml b/solution-arsenal/bootstrap.yaml deleted file mode 100644 index 5e43deb..0000000 --- a/solution-arsenal/bootstrap.yaml +++ /dev/null @@ -1,159 +0,0 @@ ---- -# Bootstrap configuration for SolutionArsenal component deployment -# This file uses OCM K8s Toolkit to fetch and deploy the ResourceGraphDefinition -# from the OCM component, enabling self-contained deployment with automatic -# image localization when components are transferred between registries. - -apiVersion: v1 -kind: Namespace -metadata: - name: ocm-system ---- -# Optional: Secret for private registry access -# Uncomment and configure if using a private OCI registry -# apiVersion: v1 -# kind: Secret -# metadata: -# name: ocm-registry-credentials -# namespace: ocm-system -# type: kubernetes.io/dockerconfigjson -# data: -# .dockerconfigjson: ---- -# OCM Repository - Points to the OCI registry containing OCM components -apiVersion: delivery.ocm.software/v1alpha1 -kind: Repository -metadata: - name: solution-arsenal-repo - namespace: ocm-system -spec: - # Replace with your OCM registry URL - url: oci://ghcr.io/your-org/ocm-components - # Optional: Reference secret for private registry access - # secretRef: - # name: ocm-registry-credentials ---- -# OCM Component - References the specific SolutionArsenal component -apiVersion: delivery.ocm.software/v1alpha1 -kind: Component -metadata: - name: solution-arsenal-component - namespace: ocm-system -spec: - component: opendefense.cloud/solution-arsenal - version: 0.1.0 - repository: - name: solution-arsenal-repo - # Optional: Reference secret for private registry access - # secretRef: - # name: ocm-registry-credentials ---- -# OCM Resource - Fetches the ResourceGraphDefinition from the component -apiVersion: delivery.ocm.software/v1alpha1 -kind: Resource -metadata: - name: solution-arsenal-rgd - namespace: ocm-system -spec: - resource: solution-arsenal-rgd - component: - name: solution-arsenal-component - # Optional: Reference secret for private registry access - # secretRef: - # name: ocm-registry-credentials ---- -# OCM Deployer - Applies the RGD content to the cluster -# Note: This is a cluster-scoped operation that creates the RGD CRD -apiVersion: delivery.ocm.software/v1alpha1 -kind: Deployer -metadata: - name: solution-arsenal-rgd-deployer - namespace: ocm-system -spec: - resource: - name: solution-arsenal-rgd - # Optional: Reference secret for private registry access - # secretRef: - # name: ocm-registry-credentials ---- -# Example SolutionArsenal Bootstrap instance - Minimal configuration -# This creates an actual deployment using the RGD -apiVersion: v1alpha1 -kind: SolutionArsenalBootstrap -metadata: - name: solution-arsenal-minimal - namespace: default -spec: - # Registry configuration - registry: - url: ghcr.io # Replace with your registry if using a private one - - # Component reference - componentName: opendefense.cloud/solution-arsenal - componentVersion: 0.1.0 - - # Deployment configuration - namespace: solar-system - - # Use minimal profile for development/testing - deploymentProfile: minimal - - # Replica configuration for minimal setup - apiServerReplicas: 1 - controllerReplicas: 1 - etcdReplicas: 1 - - # etcd storage configuration - etcdStorageSize: 1Gi - # etcdStorageClass: "" # Leave empty to use default storage class - - # cert-manager required for TLS - certManagerEnabled: true - - # Monitoring disabled for minimal profile - metricsEnabled: false - prometheusEnabled: false - - # Optional: Reference to OCM config secret for private registries - # ocmConfigSecretName: ocm-registry-credentials ---- -# Example SolutionArsenal Bootstrap instance - Production configuration -# Uncomment to deploy a production-grade HA setup -# apiVersion: v1alpha1 -# kind: SolutionArsenalBootstrap -# metadata: -# name: solution-arsenal-production -# namespace: default -# spec: -# # Registry configuration -# registry: -# url: ghcr.io -# -# # Component reference -# componentName: opendefense.cloud/solution-arsenal -# componentVersion: 0.1.0 -# -# # Deployment configuration -# namespace: solution-arsenal-system -# -# # Use production profile for HA setup -# deploymentProfile: production -# -# # High availability with 3 replicas for each component -# apiServerReplicas: 3 -# controllerReplicas: 3 -# etcdReplicas: 3 -# -# # etcd storage configuration -# etcdStorageSize: 20Gi -# etcdStorageClass: fast-ssd # Use your high-performance storage class -# -# # cert-manager required for TLS -# certManagerEnabled: true -# -# # Monitoring enabled for production -# metricsEnabled: true -# prometheusEnabled: true -# -# # Optional: Reference to OCM config secret for private registries -# # ocmConfigSecretName: ocm-registry-credentials diff --git a/solution-arsenal/rgd-template.yaml b/solution-arsenal/rgd-template.yaml deleted file mode 100644 index 885c045..0000000 --- a/solution-arsenal/rgd-template.yaml +++ /dev/null @@ -1,320 +0,0 @@ -apiVersion: kro.run/v1alpha1 -kind: ResourceGraphDefinition -metadata: - name: solution-arsenal-bootstrap - namespace: default -spec: - schema: - apiVersion: v1alpha1 - kind: SolutionArsenalBootstrap - spec: - # Component reference configuration - registry: - url: - type: string - default: "ghcr.io" - componentName: - type: string - default: "opendefense.cloud/solution-arsenal" - componentVersion: - type: string - default: "0.1.0" - - # Deployment configuration - namespace: - type: string - default: "solar-system" - - # Configuration profile selection - deploymentProfile: - type: string - enum: ["minimal", "production"] - default: "minimal" - - # API Server configuration - apiServerReplicas: - type: integer - minimum: 1 - maximum: 10 - default: 1 - - # Controller Manager configuration - controllerReplicas: - type: integer - minimum: 1 - maximum: 10 - default: 1 - - # etcd configuration - etcdReplicas: - type: integer - minimum: 1 - maximum: 10 - default: 1 - etcdStorageSize: - type: string - default: "1Gi" - etcdStorageClass: - type: string - default: "" - - # Metrics / monitoring configuration - metricsEnabled: - type: boolean - default: false - prometheusEnabled: - type: boolean - default: false - - # cert-manager integration - certManagerEnabled: - type: boolean - default: true - - # Credentials configuration - ocmConfigSecretName: - type: string - default: "" - - resources: - # OCM Repository resource - - id: ocm-repository - apiVersion: delivery.ocm.software/v1alpha1 - kind: Repository - metadata: - name: solution-arsenal-repo - namespace: ${schema.spec.namespace} - spec: - url: oci://${schema.spec.registry.url} - secretRef: - name: ${schema.spec.ocmConfigSecretName} - - # OCM Component resource - - id: ocm-component - dependsOn: - - ocm-repository - apiVersion: delivery.ocm.software/v1alpha1 - kind: Component - metadata: - name: solution-arsenal-component - namespace: ${schema.spec.namespace} - spec: - component: ${schema.spec.componentName} - version: ${schema.spec.componentVersion} - repository: - name: solution-arsenal-repo - secretRef: - name: ${schema.spec.ocmConfigSecretName} - - # OCM Resource - Fetch Helm Chart - - id: helm-chart-resource - dependsOn: - - ocm-component - apiVersion: delivery.ocm.software/v1alpha1 - kind: Resource - metadata: - name: solution-arsenal-chart - namespace: ${schema.spec.namespace} - spec: - resource: solution-arsenal-chart - component: - name: solution-arsenal-component - secretRef: - name: ${schema.spec.ocmConfigSecretName} - - # OCM Resource - Fetch API Server Image metadata - - id: apiserver-image-resource - dependsOn: - - ocm-component - apiVersion: delivery.ocm.software/v1alpha1 - kind: Resource - metadata: - name: solution-arsenal-apiserver-image - namespace: ${schema.spec.namespace} - spec: - resource: solution-arsenal-apiserver-image - component: - name: solution-arsenal-component - secretRef: - name: ${schema.spec.ocmConfigSecretName} - - # OCM Resource - Fetch Controller Manager Image metadata - - id: controller-image-resource - dependsOn: - - ocm-component - apiVersion: delivery.ocm.software/v1alpha1 - kind: Resource - metadata: - name: solution-arsenal-controller-image - namespace: ${schema.spec.namespace} - spec: - resource: solution-arsenal-controller-manager-image - component: - name: solution-arsenal-component - secretRef: - name: ${schema.spec.ocmConfigSecretName} - - # OCM Resource - Fetch Renderer Image metadata - - id: renderer-image-resource - dependsOn: - - ocm-component - apiVersion: delivery.ocm.software/v1alpha1 - kind: Resource - metadata: - name: solution-arsenal-renderer-image - namespace: ${schema.spec.namespace} - spec: - resource: solution-arsenal-renderer-image - component: - name: solution-arsenal-component - secretRef: - name: ${schema.spec.ocmConfigSecretName} - - # OCM Resource - Fetch etcd Image metadata - - id: etcd-image-resource - dependsOn: - - ocm-component - apiVersion: delivery.ocm.software/v1alpha1 - kind: Resource - metadata: - name: solution-arsenal-etcd-image - namespace: ${schema.spec.namespace} - spec: - resource: etcd-image - component: - name: solution-arsenal-component - secretRef: - name: ${schema.spec.ocmConfigSecretName} - - # OCM Resource - Fetch configuration values - - id: config-resource - dependsOn: - - ocm-component - apiVersion: delivery.ocm.software/v1alpha1 - kind: Resource - metadata: - name: solution-arsenal-config - namespace: ${schema.spec.namespace} - spec: - resource: solution-arsenal-${schema.spec.deploymentProfile}-config - component: - name: solution-arsenal-component - secretRef: - name: ${schema.spec.ocmConfigSecretName} - - # Namespace for SolutionArsenal deployment - - id: solution-arsenal-namespace - apiVersion: v1 - kind: Namespace - metadata: - name: ${schema.spec.namespace} - labels: - app.kubernetes.io/name: solution-arsenal - app.kubernetes.io/managed-by: kro - - # FluxCD OCIRepository - Watch Helm chart location - - id: oci-repository - dependsOn: - - helm-chart-resource - - solution-arsenal-namespace - apiVersion: source.toolkit.fluxcd.io/v1beta2 - kind: OCIRepository - metadata: - name: solution-arsenal-chart - namespace: ${schema.spec.namespace} - spec: - interval: 10m - url: ${resources.helmChartResource.status.access.imageReference} - ref: - tag: ${schema.spec.componentVersion} - provider: generic - secretRef: - name: ${schema.spec.ocmConfigSecretName} - - # ConfigMap with base configuration values from OCM component - - id: base-config - dependsOn: - - config-resource - - solution-arsenal-namespace - apiVersion: v1 - kind: ConfigMap - metadata: - name: solution-arsenal-base-config - namespace: ${schema.spec.namespace} - data: - values.yaml: ${resources.configResource.status.content} - - # FluxCD HelmRelease - Deploy SolutionArsenal with localized images - - id: helm-release - dependsOn: - - oci-repository - - apiserver-image-resource - - controller-image-resource - - renderer-image-resource - - etcd-image-resource - - base-config - apiVersion: helm.toolkit.fluxcd.io/v2 - kind: HelmRelease - metadata: - name: solution-arsenal - namespace: ${schema.spec.namespace} - spec: - interval: 10m - timeout: 10m - chart: - spec: - chart: solar - version: ${schema.spec.componentVersion} - sourceRef: - kind: OCIRepository - name: solution-arsenal-chart - namespace: ${schema.spec.namespace} - - # Merge base configuration with localized image references - valuesFrom: - - kind: ConfigMap - name: solution-arsenal-base-config - optional: false - - values: - # Override images with localized references from OCM - apiserver: - replicaCount: ${schema.spec.apiServerReplicas} - image: - repository: ${resources.apiserverImageResource.status.access.imageReference | split(":")[0]} - tag: ${resources.apiserverImageResource.status.access.imageReference | split(":")[1]} - - renderer: - image: - repository: ${resources.rendererImageResource.status.access.imageReference | split(":")[0]} - tag: ${resources.rendererImageResource.status.access.imageReference | split(":")[1]} - - controller: - replicaCount: ${schema.spec.controllerReplicas} - image: - repository: ${resources.controllerImageResource.status.access.imageReference | split(":")[0]} - tag: ${resources.controllerImageResource.status.access.imageReference | split(":")[1]} - args: - leaderElect: ${schema.spec.controllerReplicas > 1} - metrics: - enabled: ${schema.spec.metricsEnabled} - serviceMonitor: - enabled: ${schema.spec.prometheusEnabled} - - etcd: - replicaCount: ${schema.spec.etcdReplicas} - image: - repository: ${resources.etcdImageResource.status.access.imageReference | split(":")[0]} - tag: ${resources.etcdImageResource.status.access.imageReference | split(":")[1]} - persistence: - size: ${schema.spec.etcdStorageSize} - storageClass: ${schema.spec.etcdStorageClass} - - certManager: - enabled: ${schema.spec.certManagerEnabled} - - status: - conditions: - - type: Ready - reason: AllResourcesReady - message: "All SolutionArsenal resources are deployed and ready" From c0ac4d2704a4632aff0d4a20220815a32abbcbb5 Mon Sep 17 00:00:00 2001 From: Doreen Seider Date: Tue, 28 Apr 2026 22:09:43 +0200 Subject: [PATCH 3/3] Fix versions in solar components --- .../component-constructor.yaml | 4 ++-- solution-arsenal/component-constructor.yaml | 18 +++++------------- 2 files changed, 7 insertions(+), 15 deletions(-) diff --git a/solution-arsenal-discovery/component-constructor.yaml b/solution-arsenal-discovery/component-constructor.yaml index 4192868..4f75f64 100644 --- a/solution-arsenal-discovery/component-constructor.yaml +++ b/solution-arsenal-discovery/component-constructor.yaml @@ -13,7 +13,7 @@ components: # SolutionArsenal Discovery Helm Chart - name: solution-arsenal-discovery-chart type: helmChart - version: v0.1.0 + version: v0.1.1 relation: external access: type: ociArtifact @@ -22,7 +22,7 @@ components: # Solar Discovery Container Image - name: solution-arsenal-discovery-image type: ociImage - version: v0.1.0 + version: v0.1.1 relation: external access: type: ociArtifact diff --git a/solution-arsenal/component-constructor.yaml b/solution-arsenal/component-constructor.yaml index 1e8c990..db97415 100644 --- a/solution-arsenal/component-constructor.yaml +++ b/solution-arsenal/component-constructor.yaml @@ -10,18 +10,10 @@ components: - name: app.kubernetes.io/part-of value: solution-arsenal resources: - # ResourceGraphDefinition for KRO bootstrapping - - name: solution-arsenal-rgd - type: yaml - relation: local - input: - type: file - path: rgd-template.yaml - - # SolutionArsenal Helm Chart (local) + # SolutionArsenal Helm Chart - name: solution-arsenal-chart type: helmChart - version: v0.1.0 + version: v0.1.1 relation: external access: type: ociArtifact @@ -30,7 +22,7 @@ components: # API Server Container Image - name: solution-arsenal-apiserver-image type: ociImage - version: v0.1.0 + version: v0.1.1 relation: external access: type: ociArtifact @@ -39,7 +31,7 @@ components: # Controller Manager Container Image - name: solution-arsenal-controller-manager-image type: ociImage - version: v0.1.0 + version: v0.1.1 relation: external access: type: ociArtifact @@ -48,7 +40,7 @@ components: # Renderer Container Image - name: solution-arsenal-renderer-image type: ociImage - version: 0.1.0 + version: 0.1.1 relation: external access: type: ociArtifact