release v1.1.0

release v1.1.0

Author: nikhisin3001

Makefile

@@ -1,8 +1,5 @@
 SHELL = bash
-
-PKG_VERSION ?= v1.0.0
-OCI_DRIVER_VERSION ?= v1.30.0
-
+PKG_VERSION ?= v1.1.0
 PRE_COMMIT := $(shell command -v pre-commit 2> /dev/null)
 PODMAN := $(shell command -v podman 2> /dev/null)
 OC := $(shell command -v oc 2> /dev/null)

README.md

@@ -2,6 +2,10 @@
 
 This repository contains [Terraform stacks](/terraform-stacks/README.md) as well as OpenShift and Kubernetes [manifest files](/custom_manifests/README.md) to support the deployment, installation, and management of Red Hat OpenShift clusters on Oracle Cloud Infrastructure (OCI).
 
+## Prerequisites
+⚠️ Important: Before creating the cluster, ensure you've executed the latest version of create-attribution-tags stack. This ensures all necessary tags are available prior to cluster provisioning.
+You only need to run this for the `first cluster deployment`. Subsequent cluster deployments will not require this step, as the tags will already exist.
+
 ## Documentation and Installation Instructions
 
 - [OSO Overview](https://docs.oracle.com/en-us/iaas/Content/openshift-on-oci/overview.htm)

custom_manifests/condensed-manifest.yml

@@ -13,7 +13,7 @@ metadata:
     "pod-security.kubernetes.io/warn": "privileged"
     "security.openshift.io/scc.podSecurityLabelSync": "false"
     "openshift.io/run-level": "0"
-    "pod-security.kubernetes.io/enforce-version": "v1.24"
+    "pod-security.kubernetes.io/enforce-version": "v1.30"
 
 ---
 
@@ -272,7 +272,7 @@ metadata:
     "pod-security.kubernetes.io/warn": "privileged"
     "security.openshift.io/scc.podSecurityLabelSync": "false"
     "openshift.io/run-level": "0"
-    "pod-security.kubernetes.io/enforce-version": "v1.24"
+    "pod-security.kubernetes.io/enforce-version": "v1.30"
 
 ---
 

custom_manifests/manifests/01-oci-ccm.yml

@@ -13,7 +13,7 @@ metadata:
     "pod-security.kubernetes.io/warn": "privileged"
     "security.openshift.io/scc.podSecurityLabelSync": "false"
     "openshift.io/run-level": "0"
-    "pod-security.kubernetes.io/enforce-version": "v1.24"
+    "pod-security.kubernetes.io/enforce-version": "v1.30"
 
 ---
 

custom_manifests/manifests/01-oci-csi.yml

@@ -13,7 +13,7 @@ metadata:
     "pod-security.kubernetes.io/warn": "privileged"
     "security.openshift.io/scc.podSecurityLabelSync": "false"
     "openshift.io/run-level": "0"
-    "pod-security.kubernetes.io/enforce-version": "v1.24"
+    "pod-security.kubernetes.io/enforce-version": "v1.30"
 
 ---
 

custom_manifests/oci-ccm-csi-drivers/v1.30.0-RWX-LA/01-oci-ccm.yml

@@ -0,0 +1,259 @@
+# ----- 01-oci-ccm.yml -----
+
+# oci-ccm-00-namespace.yaml
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: oci-cloud-controller-manager
+  annotations:
+    workload.openshift.io/allowed: management
+  labels:
+    "pod-security.kubernetes.io/enforce": "privileged"
+    "pod-security.kubernetes.io/audit": "privileged"
+    "pod-security.kubernetes.io/warn": "privileged"
+    "security.openshift.io/scc.podSecurityLabelSync": "false"
+    "openshift.io/run-level": "0"
+    "pod-security.kubernetes.io/enforce-version": "v1.30"
+
+---
+
+# oci-ccm-01-service-account.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cloud-controller-manager
+  namespace: oci-cloud-controller-manager
+
+---
+
+# oci-ccm-02-cluster-role.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: system:cloud-controller-manager
+  labels:
+    kubernetes.io/cluster-service: "true"
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - '*'
+
+- apiGroups:
+  - ""
+  resources:
+  - nodes/status
+  verbs:
+  - patch
+
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - list
+  - watch
+  - patch
+  - get
+
+- apiGroups:
+  - ""
+  resources:
+  - services/status
+  verbs:
+  - patch
+  - get
+  - update
+
+- apiGroups:
+    - ""
+  resources:
+    - configmaps
+  resourceNames:
+    - "extension-apiserver-authentication"
+  verbs:
+    - get
+
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - list
+  - watch
+  - create
+  - patch
+  - update
+
+# For leader election
+- apiGroups:
+  - ""
+  resources:
+  - endpoints
+  verbs:
+  - create
+
+- apiGroups:
+  - ""
+  resources:
+  - endpoints
+  resourceNames:
+  - "cloud-controller-manager"
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
+
+- apiGroups:
+    - "coordination.k8s.io"
+  resources:
+    - leases
+  verbs:
+    - get
+    - create
+    - update
+    - delete
+    - patch
+    - watch
+
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  resourceNames:
+  - "cloud-controller-manager"
+  verbs:
+  - get
+  - update
+
+- apiGroups:
+    - ""
+  resources:
+    - configmaps
+  resourceNames:
+    - "extension-apiserver-authentication"
+  verbs:
+    - get
+    - list
+    - watch
+
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts
+  verbs:
+  - create
+  - list
+  - get
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+
+# For the PVL
+- apiGroups:
+  - ""
+  resources:
+  - persistentvolumes
+  verbs:
+  - list
+  - watch
+  - patch
+---
+
+# oci-ccm-03-cluster-role-binding.yaml
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: oci-cloud-controller-manager
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:cloud-controller-manager
+subjects:
+- kind: ServiceAccount
+  name: cloud-controller-manager
+  namespace: oci-cloud-controller-manager
+
+---
+
+# oci-ccm-05-daemon-set.yaml
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: oci-cloud-controller-manager
+  namespace: oci-cloud-controller-manager
+  labels:
+    k8s-app: oci-cloud-controller-manager
+spec:
+  selector:
+    matchLabels:
+      component: oci-cloud-controller-manager
+      tier: control-plane
+  updateStrategy:
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        component: oci-cloud-controller-manager
+        tier: control-plane
+    spec:
+      serviceAccountName: cloud-controller-manager
+      hostNetwork: true
+      nodeSelector:
+        node-role.kubernetes.io/control-plane: ""
+      tolerations:
+      - key: node.cloudprovider.kubernetes.io/uninitialized
+        value: "true"
+        effect: NoSchedule
+      - key: node-role.kubernetes.io/control-plane
+        operator: Exists
+        effect: NoSchedule
+      - key: node-role.kubernetes.io/master
+        operator: Exists
+        effect: NoSchedule
+      - key: node.kubernetes.io/not-ready
+        operator: Exists
+        effect: NoSchedule
+      volumes:
+        - name: cfg
+          secret:
+            secretName: oci-cloud-controller-manager
+        - name: kubernetes
+          hostPath:
+            path: /etc/kubernetes
+      containers:
+        - name: oci-cloud-controller-manager
+          image: ghcr.io/dfoster-oracle/cloud-provider-oci-amd64:v1.30.0-rwx
+          command:
+            - /bin/bash
+            - -c
+            - |
+              #!/bin/bash
+              set -o allexport
+              if [[ -f /etc/kubernetes/apiserver-url.env ]]; then
+                source /etc/kubernetes/apiserver-url.env
+              fi
+              exec /usr/local/bin/oci-cloud-controller-manager --cloud-config=/etc/oci/cloud-provider.yaml --cloud-provider=oci --leader-elect-resource-lock=leases --concurrent-service-syncs=3 --v=2
+          volumeMounts:
+            - name: cfg
+              mountPath: /etc/oci
+              readOnly: true
+            - name: kubernetes
+              mountPath: /etc/kubernetes
+              readOnly: true
+---