第 11 章 在 PolicyGenerator 或 PolicyGenTemplate CR 中使用 hub 模板
Topology Aware Lifecycle Manager 支持在 GitOps Zero Touch Provisioning (ZTP) 的配置策略中支持 Red Hat Advanced Cluster Management (RHACM) hub 集群模板功能。
hub-side 集群模板允许您定义可动态自定义到目标集群的配置策略。这可减少为具有辅助配置但具有不同值的很多集群创建单独的策略的需求。
策略模板仅限于与定义策略的命名空间相同的命名空间。这意味着,您必须在创建策略的同一命名空间中创建 hub 模板中引用的对象。
使用 PolicyGenTemplate CR 管理和监控对受管集群的策略将在即将发布的 OpenShift Container Platform 发行版本中弃用。使用 Red Hat Advanced Cluster Management (RHACM) 和 PolicyGenerator CR 提供了等效的和改进的功能。
有关 PolicyGenerator 资源的更多信息,请参阅 RHACM 策略生成器 文档。
11.1. 在组 PolicyGenerator 或 PolicyGentemplate CR 中指定组和站点配置
您可以使用 hub 模板填充应用到受管集群的生成的策略中的组和站点值来管理带有 ConfigMap CR 的集群配置。在站点 PolicyGenerator 或 PolicyGentemplate CR 中使用 hub 模板意味着您不需要为每个站点创建一个策略 CR。
您可以根据用例(如硬件类型或区域)将集群分组到不同的类别中。每个集群都应该有一个与集群所在的组或组对应的标签。如果您管理位于不同 ConfigMap CR 中的每个组的配置值,则只需要一个策略 CR 来使用 hub 模板将更改应用到组中的所有集群。
以下示例演示了如何使用三个 ConfigMap CR 和一个组 PolicyGenerator CR 将站点和组配置应用到按硬件类型和区域分组的集群。
ConfigMap CR 有一个 1 MiB 大小限制 (Kubernetes 文档)。ConfigMap CR 的有效大小被 last-applied-configuration 注解进一步限制。要避免 last-applied-configuration 限制,请在模板 ConfigMap 中添加以下注解:
argocd.argoproj.io/sync-options: Replace=true
先决条件
-
已安装 OpenShift CLI(
oc)。 -
已以具有
cluster-admin权限的用户身份登录到 hub 集群。 - 您已创建了管理自定义站点配置数据的 Git 存储库。存储库必须可从 hub 集群访问,并定义为 GitOps ZTP ArgoCD 应用程序的源存储库。
流程
创建包含组和站点配置的三个
ConfigMapCR:创建名为
group-hardware-types-configmap的ConfigMapCR,以存放特定于硬件的配置。例如:apiVersion: v1 kind: ConfigMap metadata: name: group-hardware-types-configmap namespace: ztp-group annotations: argocd.argoproj.io/sync-options: Replace=true 1 data: # SriovNetworkNodePolicy.yaml hardware-type-1-sriov-node-policy-pfNames-1: "[\"ens5f0\"]" hardware-type-1-sriov-node-policy-pfNames-2: "[\"ens7f0\"]" # PerformanceProfile.yaml hardware-type-1-cpu-isolated: "2-31,34-63" hardware-type-1-cpu-reserved: "0-1,32-33" hardware-type-1-hugepages-default: "1G" hardware-type-1-hugepages-size: "1G" hardware-type-1-hugepages-count: "32"- 1
- 只有在
ConfigMap大于 1 MiB 时,才需要argocd.argoproj.io/sync-options注解。
创建名为
group-zones-configmap的ConfigMapCR,以存放区域配置。例如:apiVersion: v1 kind: ConfigMap metadata: name: group-zones-configmap namespace: ztp-group data: # ClusterLogForwarder.yaml zone-1-cluster-log-fwd-outputs: "[{\"type\":\"kafka\", \"name\":\"kafka-open\", \"url\":\"tcp://10.46.55.190:9092/test\"}]" zone-1-cluster-log-fwd-pipelines: "[{\"inputRefs\":[\"audit\", \"infrastructure\"], \"labels\": {\"label1\": \"test1\", \"label2\": \"test2\", \"label3\": \"test3\", \"label4\": \"test4\"}, \"name\": \"all-to-default\", \"outputRefs\": [\"kafka-open\"]}]"创建名为
site-data-configmap的ConfigMapCR,以存放特定于站点的配置。例如:apiVersion: v1 kind: ConfigMap metadata: name: site-data-configmap namespace: ztp-group data: # SriovNetwork.yaml du-sno-1-zone-1-sriov-network-vlan-1: "140" du-sno-1-zone-1-sriov-network-vlan-2: "150"
注意每个
ConfigMapCR 必须与从组PolicyGeneratorCR 生成的策略位于同一个命名空间中。-
提交 Git 中的
ConfigMapCR,然后推送到由 Argo CD 应用程序监控的 Git 存储库。 将硬件类型和区域标签应用到集群。以下命令适用于名为
du-sno-1-zone-1的单个集群,选择的标签为"hardware-type": "hardware-type-1"和"group-du-sno-zone": "zone-1":$ oc patch managedclusters.cluster.open-cluster-management.io/du-sno-1-zone-1 --type merge -p '{"metadata":{"labels":{"hardware-type": "hardware-type-1", "group-du-sno-zone": "zone-1"}}}'根据您的要求,创建一个组
PolicyGenerator或PolicyGentemplateCR,它使用 hub 模板从ConfigMap对象获取所需的数据:创建组
PolicyGeneratorCR。这个示例PolicyGeneratorCR 为与policyDefaults.placement字段中列出的标签匹配的集群配置日志、VLAN ID、NIC 和 Performance Profile:--- apiVersion: policy.open-cluster-management.io/v1 kind: PolicyGenerator metadata: name: group-du-sno-pgt placementBindingDefaults: name: group-du-sno-pgt-placement-binding policyDefaults: placement: labelSelector: matchExpressions: - key: group-du-sno-zone operator: In values: - zone-1 - key: hardware-type operator: In values: - hardware-type-1 remediationAction: inform severity: low namespaceSelector: exclude: - kube-* include: - '*' evaluationInterval: compliant: 10m noncompliant: 10s policies: - name: group-du-sno-pgt-group-du-sno-cfg-policy policyAnnotations: ran.openshift.io/ztp-deploy-wave: "10" manifests: - path: source-crs/ClusterLogForwarder.yaml patches: - spec: outputs: '{{hub fromConfigMap "" "group-zones-configmap" (printf "%s-cluster-log-fwd-outputs" (index .ManagedClusterLabels "group-du-sno-zone")) | toLiteral hub}}' pipelines: '{{hub fromConfigMap "" "group-zones-configmap" (printf "%s-cluster-log-fwd-pipelines" (index .ManagedClusterLabels "group-du-sno-zone")) | toLiteral hub}}' - path: source-crs/PerformanceProfile-MCP-master.yaml patches: - metadata: name: openshift-node-performance-profile spec: additionalKernelArgs: - rcupdate.rcu_normal_after_boot=0 - vfio_pci.enable_sriov=1 - vfio_pci.disable_idle_d3=1 - efi=runtime cpu: isolated: '{{hub fromConfigMap "" "group-hardware-types-configmap" (printf "%s-cpu-isolated" (index .ManagedClusterLabels "hardware-type")) hub}}' reserved: '{{hub fromConfigMap "" "group-hardware-types-configmap" (printf "%s-cpu-reserved" (index .ManagedClusterLabels "hardware-type")) hub}}' hugepages: defaultHugepagesSize: '{{hub fromConfigMap "" "group-hardware-types-configmap" (printf "%s-hugepages-default" (index .ManagedClusterLabels "hardware-type")) hub}}' pages: - count: '{{hub fromConfigMap "" "group-hardware-types-configmap" (printf "%s-hugepages-count" (index .ManagedClusterLabels "hardware-type")) | toInt hub}}' size: '{{hub fromConfigMap "" "group-hardware-types-configmap" (printf "%s-hugepages-size" (index .ManagedClusterLabels "hardware-type")) hub}}' realTimeKernel: enabled: true - name: group-du-sno-pgt-group-du-sno-sriov-policy policyAnnotations: ran.openshift.io/ztp-deploy-wave: "100" manifests: - path: source-crs/SriovNetwork.yaml patches: - metadata: name: sriov-nw-du-fh spec: resourceName: du_fh vlan: '{{hub fromConfigMap "" "site-data-configmap" (printf "%s-sriov-network-vlan-1" .ManagedClusterName) | toInt hub}}' - path: source-crs/SriovNetworkNodePolicy-MCP-master.yaml patches: - metadata: name: sriov-nnp-du-fh spec: deviceType: netdevice isRdma: false nicSelector: pfNames: '{{hub fromConfigMap "" "group-hardware-types-configmap" (printf "%s-sriov-node-policy-pfNames-1" (index .ManagedClusterLabels "hardware-type")) | toLiteral hub}}' numVfs: 8 priority: 10 resourceName: du_fh - path: source-crs/SriovNetwork.yaml patches: - metadata: name: sriov-nw-du-mh spec: resourceName: du_mh vlan: '{{hub fromConfigMap "" "site-data-configmap" (printf "%s-sriov-network-vlan-2" .ManagedClusterName) | toInt hub}}' - path: source-crs/SriovNetworkNodePolicy-MCP-master.yaml patches: - metadata: name: sriov-nw-du-fh spec: deviceType: netdevice isRdma: false nicSelector: pfNames: '{{hub fromConfigMap "" "group-hardware-types-configmap" (printf "%s-sriov-node-policy-pfNames-2" (index .ManagedClusterLabels "hardware-type")) | toLiteral hub}}' numVfs: 8 priority: 10 resourceName: du_fh创建组
PolicyGenTemplateCR。此PolicyGenTemplateCR 示例为与spec.bindingRules下列出的标签匹配的集群配置日志、VLAN ID、NIC 和 Performance Profile:apiVersion: ran.openshift.io/v1 kind: PolicyGenTemplate metadata: name: group-du-sno-pgt namespace: ztp-group spec: bindingRules: # These policies will correspond to all clusters with these labels group-du-sno-zone: "zone-1" hardware-type: "hardware-type-1" mcp: "master" sourceFiles: - fileName: ClusterLogForwarder.yaml # wave 10 policyName: "group-du-sno-cfg-policy" spec: outputs: '{{hub fromConfigMap "" "group-zones-configmap" (printf "%s-cluster-log-fwd-outputs" (index .ManagedClusterLabels "group-du-sno-zone")) | toLiteral hub}}' pipelines: '{{hub fromConfigMap "" "group-zones-configmap" (printf "%s-cluster-log-fwd-pipelines" (index .ManagedClusterLabels "group-du-sno-zone")) | toLiteral hub}}' - fileName: PerformanceProfile.yaml # wave 10 policyName: "group-du-sno-cfg-policy" metadata: name: openshift-node-performance-profile spec: additionalKernelArgs: - rcupdate.rcu_normal_after_boot=0 - vfio_pci.enable_sriov=1 - vfio_pci.disable_idle_d3=1 - efi=runtime cpu: isolated: '{{hub fromConfigMap "" "group-hardware-types-configmap" (printf "%s-cpu-isolated" (index .ManagedClusterLabels "hardware-type")) hub}}' reserved: '{{hub fromConfigMap "" "group-hardware-types-configmap" (printf "%s-cpu-reserved" (index .ManagedClusterLabels "hardware-type")) hub}}' hugepages: defaultHugepagesSize: '{{hub fromConfigMap "" "group-hardware-types-configmap" (printf "%s-hugepages-default" (index .ManagedClusterLabels "hardware-type")) hub}}' pages: - size: '{{hub fromConfigMap "" "group-hardware-types-configmap" (printf "%s-hugepages-size" (index .ManagedClusterLabels "hardware-type")) hub}}' count: '{{hub fromConfigMap "" "group-hardware-types-configmap" (printf "%s-hugepages-count" (index .ManagedClusterLabels "hardware-type")) | toInt hub}}' realTimeKernel: enabled: true - fileName: SriovNetwork.yaml # wave 100 policyName: "group-du-sno-sriov-policy" metadata: name: sriov-nw-du-fh spec: resourceName: du_fh vlan: '{{hub fromConfigMap "" "site-data-configmap" (printf "%s-sriov-network-vlan-1" .ManagedClusterName) | toInt hub}}' - fileName: SriovNetworkNodePolicy.yaml # wave 100 policyName: "group-du-sno-sriov-policy" metadata: name: sriov-nnp-du-fh spec: deviceType: netdevice isRdma: false nicSelector: pfNames: '{{hub fromConfigMap "" "group-hardware-types-configmap" (printf "%s-sriov-node-policy-pfNames-1" (index .ManagedClusterLabels "hardware-type")) | toLiteral hub}}' numVfs: 8 priority: 10 resourceName: du_fh - fileName: SriovNetwork.yaml # wave 100 policyName: "group-du-sno-sriov-policy" metadata: name: sriov-nw-du-mh spec: resourceName: du_mh vlan: '{{hub fromConfigMap "" "site-data-configmap" (printf "%s-sriov-network-vlan-2" .ManagedClusterName) | toInt hub}}' - fileName: SriovNetworkNodePolicy.yaml # wave 100 policyName: "group-du-sno-sriov-policy" metadata: name: sriov-nw-du-fh spec: deviceType: netdevice isRdma: false nicSelector: pfNames: '{{hub fromConfigMap "" "group-hardware-types-configmap" (printf "%s-sriov-node-policy-pfNames-2" (index .ManagedClusterLabels "hardware-type")) | toLiteral hub}}' numVfs: 8 priority: 10 resourceName: du_fh
注意要检索特定于站点的配置值,请使用
.ManagedClusterName字段。这是一个模板上下文值设置为目标受管集群的名称。要检索特定于组的配置,请使用
.ManagedClusterLabels字段。这是一个模板上下文值设置为受管集群标签的值。提交 Git 中的站点
PolicyGenerator或PolicyGentemplateCR,并推送到由 ArgoCD 应用程序监控的 Git 存储库。注意对引用的
ConfigMapCR 的后续更改不会自动同步到应用的策略。您需要手动同步新的ConfigMap更改来更新现有的PolicyGeneratorCR。请参阅 "Syncing new ConfigMap changes to existing PolicyGenerator 或 PolicyGenTemplate CR"。您可以将相同的
PolicyGenerator或PolicyGentemplateCR 用于多个集群。如果有配置更改,则唯一需要进行修改的ConfigMap对象是保存每个集群配置和受管集群标签的 ConfigMap 对象。
