From af894b5c8b0f6b315e3a3ee2b444a9bb2811ca21 Mon Sep 17 00:00:00 2001 From: Shane Lovern Date: Fri, 2 May 2025 17:07:35 +0100 Subject: [PATCH] TELCODOCS-2123 ACM PolicyGenerator recommendation --- .../cnf-talm-for-cluster-upgrades.adoc | 8 +++- .../ztp-advanced-policygenerator-config.adoc | 13 ++---- ...ring-managed-clusters-policygenerator.adoc | 11 ++--- .../ztp-advanced-policy-config.adoc | 8 ++++ ...logy-aware-lifecycle-manager-policies.adoc | 5 ++ ...ecycle-manager-about-subscription-crs.adoc | 4 +- ...ware-lifecycle-manager-apply-policies.adoc | 2 +- modules/ztp-configuring-cluster-policies.adoc | 6 +-- ...tp-enabling-workload-partitioning-sno.adoc | 1 + ...tp-image-based-upgrade-installing-lca.adoc | 46 ++++++++++++------- .../ztp-using-pgt-to-update-source-crs.adoc | 2 +- snippets/ztp_example-sno.yaml | 2 +- 12 files changed, 67 insertions(+), 41 deletions(-) diff --git a/edge_computing/cnf-talm-for-cluster-upgrades.adoc b/edge_computing/cnf-talm-for-cluster-upgrades.adoc index bb1ed5a382..5c1375a76b 100644 --- a/edge_computing/cnf-talm-for-cluster-upgrades.adoc +++ b/edge_computing/cnf-talm-for-cluster-upgrades.adoc @@ -3,13 +3,15 @@ = Updating managed clusters with the {cgu-operator-full} include::_attributes/common-attributes.adoc[] :context: cnf-topology-aware-lifecycle-manager +:policy-gen-cr: PolicyGenerator toc::[] You can use the {cgu-operator-first} to manage the software lifecycle of multiple clusters. {cgu-operator} uses {rh-rhacm-first} policies to perform changes on the target clusters. -:Featurename: Using PolicyGenerator resources with {ztp} -include::snippets/technology-preview.adoc[] +Using {rh-rhacm} and `{policy-gen-cr}` CRs is the recommended approach for managing policies and deploying them to managed clusters. +This replaces the use of `PolicyGenTemplate` CRs for this purpose. +For more information about `{policy-gen-cr}`resources, see the {rh-rhacm} link:https://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/{rh-rhacm-version}/html/governance/policy-deployment#integrate-policy-generator[Policy Generator] documentation. include::modules/cnf-about-topology-aware-lifecycle-manager-config.adoc[leveloffset=+1] @@ -55,3 +57,5 @@ include::modules/cnf-topology-aware-lifecycle-manager-troubleshooting.adoc[level * xref:../edge_computing/policygenerator_for_ztp/ztp-talm-updating-managed-policies-pg.adoc#ztp-topology-aware-lifecycle-manager[Updating managed policies with {cgu-operator-full}] * xref:../edge_computing/policygenerator_for_ztp/ztp-configuring-managed-clusters-policygenerator.adoc#ztp-the-policygentemplate_ztp-configuring-managed-clusters-policygenerator[About the PolicyGenerator CRD] + +:!policy-gen-cr: \ No newline at end of file diff --git a/edge_computing/policygenerator_for_ztp/ztp-advanced-policygenerator-config.adoc b/edge_computing/policygenerator_for_ztp/ztp-advanced-policygenerator-config.adoc index 8fc5e0bbd1..e813171a8f 100644 --- a/edge_computing/policygenerator_for_ztp/ztp-advanced-policygenerator-config.adoc +++ b/edge_computing/policygenerator_for_ztp/ztp-advanced-policygenerator-config.adoc @@ -7,18 +7,14 @@ include::_attributes/common-attributes.adoc[] :policy-prefix: acm- :rangen-yaml-path: policies.manifests :argocd-folder: out/argocd/example/acmpolicygenerator/ +:path-prefix: acmpolicygenerator toc::[] You can use `{policy-gen-cr}` CRs to deploy custom functionality in your managed clusters. - -:Featurename: Using PolicyGenerator resources with {ztp} -include::snippets/technology-preview.adoc[] - -[NOTE] -==== -For more information about `PolicyGenerator` resources, see the {rh-rhacm} link:https://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/{rh-rhacm-version}/html/governance/integrate-policy-generator#policy-generator[Policy Generator] documentation. -==== +Using {rh-rhacm} and `{policy-gen-cr}` CRs is the recommended approach for managing policies and deploying them to managed clusters. +This replaces the use of `PolicyGenTemplate` CRs for this purpose. +For more information about `{policy-gen-cr}` resources, see the {rh-rhacm} link:https://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/{rh-rhacm-version}/html/governance/policy-deployment#integrate-policy-generator[Policy Generator] documentation. include::modules/ztp-deploying-additional-changes-to-clusters.adoc[leveloffset=+1] @@ -103,3 +99,4 @@ include::modules/ztp-configuring-pgt-image-registry.adoc[leveloffset=+2] :!policy-prefix: :!rangen-yaml-path: :!argocd-folder: +:!path-prefix: \ No newline at end of file diff --git a/edge_computing/policygenerator_for_ztp/ztp-configuring-managed-clusters-policygenerator.adoc b/edge_computing/policygenerator_for_ztp/ztp-configuring-managed-clusters-policygenerator.adoc index 8e16890c34..fe0213a343 100644 --- a/edge_computing/policygenerator_for_ztp/ztp-configuring-managed-clusters-policygenerator.adoc +++ b/edge_computing/policygenerator_for_ztp/ztp-configuring-managed-clusters-policygenerator.adoc @@ -11,15 +11,12 @@ include::_attributes/common-attributes.adoc[] toc::[] -Applied `Policy` custom resources (CRs) configure the managed clusters that you provision. You can customize how {rh-rhacm-first} uses `{policy-gen-cr}` CRs to generate the applied `Policy` CRs. +You can customize how {rh-rhacm-first} uses `{policy-gen-cr}` CRs to generate `Policy` CRs that configure the managed clusters that you provision. -:Featurename: Using PolicyGenerator resources with {ztp} -include::snippets/technology-preview.adoc[] +Using {rh-rhacm} and `{policy-gen-cr}` CRs is the recommended approach for managing policies and deploying them to managed clusters. +This replaces the use of `PolicyGenTemplate` CRs for this purpose. +For more information about `{policy-gen-cr}` resources, see the {rh-rhacm} link:https://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/{rh-rhacm-version}/html/governance/policy-deployment#integrate-policy-generator[Policy Generator] documentation. -[NOTE] -==== -For more information about `PolicyGenerator` resources, see the {rh-rhacm} link:https://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/{rh-rhacm-version}/html-single/governance/index#integrate-policy-generator[Integrating Policy Generator] documentation. -==== include::modules/ztp-comparing-pgt-and-rhacm-pg-patching-strategies.adoc[leveloffset=+1] diff --git a/edge_computing/policygentemplate_for_ztp/ztp-advanced-policy-config.adoc b/edge_computing/policygentemplate_for_ztp/ztp-advanced-policy-config.adoc index d0eaeb9592..591e0b4793 100644 --- a/edge_computing/policygentemplate_for_ztp/ztp-advanced-policy-config.adoc +++ b/edge_computing/policygentemplate_for_ztp/ztp-advanced-policy-config.adoc @@ -7,10 +7,17 @@ include::_attributes/common-attributes.adoc[] :policy-prefix: :rangen-yaml-path: spec.sourceFiles :argocd-folder: out/argocd/example/policygentemplates/ +:path-prefix: policygentemplates toc::[] You can use `{policy-gen-cr}` CRs to deploy custom functionality in your managed clusters. +[IMPORTANT] +==== +Using {rh-rhacm} and `{policy-gen-cr}` CRs is the recommended approach for managing policies and deploying them to managed clusters. +This replaces the use of `PolicyGenTemplate` CRs for this purpose. +For more information about `{policy-gen-cr}` resources, see the {rh-rhacm} link:https://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/{rh-rhacm-version}/html/governance/policy-deployment#integrate-policy-generator[Policy Generator] documentation. +==== include::snippets/pgt-deprecation-notice.adoc[] @@ -101,3 +108,4 @@ include::modules/ztp-configuring-pgt-image-registry.adoc[leveloffset=+2] :!policy-prefix: :!rangen-yaml-path: :!argocd-folder: +:!path-prefix: diff --git a/modules/cnf-about-topology-aware-lifecycle-manager-policies.adoc b/modules/cnf-about-topology-aware-lifecycle-manager-policies.adoc index 406bd61332..994722ee1e 100644 --- a/modules/cnf-about-topology-aware-lifecycle-manager-policies.adoc +++ b/modules/cnf-about-topology-aware-lifecycle-manager-policies.adoc @@ -14,6 +14,11 @@ Supported use cases include the following: * Manual user creation of policy CRs * Automatically generated policies from the `PolicyGenerator` or `PolicyGentemplate` custom resource definition (CRD) +[NOTE] +==== +Using the `PolicyGentemplate` CRD is the recommended method for automatic policy generation. +==== + For policies that update an Operator subscription with manual approval, {cgu-operator} provides additional functionality that approves the installation of the updated Operator. For more information about managed policies, see link:https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/{rh-rhacm-version}/html-single/governance/index#policy-overview[Policy Overview] in the {rh-rhacm} documentation. diff --git a/modules/cnf-topology-aware-lifecycle-manager-about-subscription-crs.adoc b/modules/cnf-topology-aware-lifecycle-manager-about-subscription-crs.adoc index 7fc3d314ed..f771e5687b 100644 --- a/modules/cnf-topology-aware-lifecycle-manager-about-subscription-crs.adoc +++ b/modules/cnf-topology-aware-lifecycle-manager-about-subscription-crs.adoc @@ -23,9 +23,9 @@ metadata: annotations: ran.openshift.io/ztp-deploy-wave: "2" spec: - channel: "stable" + channel: "stable-6.2" name: cluster-logging - source: redhat-operators + source: redhat-operators-disconnected sourceNamespace: openshift-marketplace installPlanApproval: Manual status: diff --git a/modules/cnf-topology-aware-lifecycle-manager-apply-policies.adoc b/modules/cnf-topology-aware-lifecycle-manager-apply-policies.adoc index f3b2191e1c..00320b7bd7 100644 --- a/modules/cnf-topology-aware-lifecycle-manager-apply-policies.adoc +++ b/modules/cnf-topology-aware-lifecycle-manager-apply-policies.adoc @@ -370,5 +370,5 @@ $ oc get csv -n [source,terminal] ---- NAME DISPLAY VERSION REPLACES PHASE -cluster-logging.5.4.2 Red Hat OpenShift Logging 5.4.2 Succeeded +cluster-logging.v6.2.1 Red Hat OpenShift Logging 6.2.1 Succeeded ---- diff --git a/modules/ztp-configuring-cluster-policies.adoc b/modules/ztp-configuring-cluster-policies.adoc index b0c8066ec8..3d2c6b05cc 100644 --- a/modules/ztp-configuring-cluster-policies.adoc +++ b/modules/ztp-configuring-cluster-policies.adoc @@ -4,11 +4,11 @@ :_mod-docs-content-type: CONCEPT [id="ztp-configuring-cluster-policies_{context}"] -= Configuring managed clusters with policies and PolicyGenTemplate resources += Configuring managed clusters with policies and {policy-gen-cr} resources {ztp-first} uses {rh-rhacm-first} to configure clusters by using a policy-based governance approach to applying the configuration. -The policy generator or `PolicyGen` is a plugin for the GitOps Operator that enables the creation of {rh-rhacm} policies from a concise template. The tool can combine multiple CRs into a single policy, and you can generate multiple policies that apply to various subsets of clusters in your fleet. +The policy generator is a plugin for the GitOps Operator that enables the creation of {rh-rhacm} policies from a concise template. The tool can combine multiple CRs into a single policy, and you can generate multiple policies that apply to various subsets of clusters in your fleet. [NOTE] ==== @@ -35,7 +35,7 @@ The following recommended structuring of policies combines configuration CRs to * Support flexibility in common configurations for cluster variants. -.Recommended PolicyGenTemplate policy categories +.Recommended {policy-gen-cr} policy categories [cols="1,5", width="100%", options="header"] |==== |Policy category diff --git a/modules/ztp-enabling-workload-partitioning-sno.adoc b/modules/ztp-enabling-workload-partitioning-sno.adoc index 1776ac5c88..ae321288f6 100644 --- a/modules/ztp-enabling-workload-partitioning-sno.adoc +++ b/modules/ztp-enabling-workload-partitioning-sno.adoc @@ -18,6 +18,7 @@ Both of these steps happen at different points during cluster provisioning. Configuring workload partitioning by using the `cpuPartitioningMode` field in the `SiteConfig` CR is a Tech Preview feature in {product-title} 4.13. Alternatively, you can specify cluster management CPU resources with the `cpuset` field of the `SiteConfig` custom resource (CR) and the `reserved` field of the group `PolicyGenerator` or `PolicyGentemplate` CR. +The `{policy-gen-cr}` CR is the recommended approach. The {ztp} pipeline uses these values to populate the required fields in the workload partitioning `MachineConfig` CR (`cpuset`) and the `PerformanceProfile` CR (`reserved`) that configure the {sno} cluster. This method is a General Availability feature in {product-title} 4.14. ==== diff --git a/modules/ztp-image-based-upgrade-installing-lca.adoc b/modules/ztp-image-based-upgrade-installing-lca.adoc index 0ea53681db..9402b3a690 100644 --- a/modules/ztp-image-based-upgrade-installing-lca.adoc +++ b/modules/ztp-image-based-upgrade-installing-lca.adoc @@ -78,25 +78,39 @@ status: ---- -- -. Add the CRs to your common `PolicyGenTemplate`: +. Add the CRs to your common PolicyGenerator: + [source,yaml] ---- -apiVersion: ran.openshift.io/v1 -kind: PolicyGenTemplate +apiVersion: policy.open-cluster-management.io/v1 +kind: PolicyGenerator metadata: - name: "example-common-latest" - namespace: "ztp-common" -spec: - bindingRules: - common: "true" - du-profile: "latest" - sourceFiles: - - fileName: LcaSubscriptionNS.yaml - policyName: "subscriptions-policy" - - fileName: LcaSubscriptionOperGroup.yaml - policyName: "subscriptions-policy" - - fileName: LcaSubscription.yaml - policyName: "subscriptions-policy" + name: common-latest +placementBindingDefaults: + name: common-placement-binding +policyDefaults: + namespace: ztp-common + placement: + labelSelector: + common: "true" + du-profile: "latest" + remediationAction: inform + severity: low + namespaceSelector: + exclude: + - kube-* + include: + - '*' + evaluationInterval: + compliant: 10m + noncompliant: 10s +policies: +- name: common-latest-subscriptions-policy + policyAnnotations: + ran.openshift.io/ztp-deploy-wave: "2" + manifests: + - path: source-crs/LcaSubscriptionNS.yaml + - path: source-crs/LcaSubscriptionOperGroup.yaml + - path: source-crs/LcaSubscription.yaml [...] ---- \ No newline at end of file diff --git a/modules/ztp-using-pgt-to-update-source-crs.adoc b/modules/ztp-using-pgt-to-update-source-crs.adoc index d076c5b077..2a1e03e319 100644 --- a/modules/ztp-using-pgt-to-update-source-crs.adoc +++ b/modules/ztp-using-pgt-to-update-source-crs.adoc @@ -126,7 +126,7 @@ spec: ==== In the `/source-crs` folder that you extract from the `ztp-site-generate` container, the `$` syntax is not used for template substitution as implied by the syntax. Rather, if the `policyGen` tool sees the `$` prefix for a string and you do not specify a value for that field in the related `{policy-gen-cr}` CR, the field is omitted from the output CR entirely. -An exception to this is the `$mcp` variable in `/source-crs` YAML files that is substituted with the specified value for `mcp` from the `{policy-gen-cr}` CR. For example, in `example/policygentemplates/{policy-prefix}group-du-standard-ranGen.yaml`, the value for `mcp` is `worker`: +An exception to this is the `$mcp` variable in `/source-crs` YAML files that is substituted with the specified value for `mcp` from the `{policy-gen-cr}` CR. For example, in `example/{path-prefix}/{policy-prefix}group-du-standard-ranGen.yaml`, the value for `mcp` is `worker`: [source,yaml] ---- diff --git a/snippets/ztp_example-sno.yaml b/snippets/ztp_example-sno.yaml index 0360fdc773..98f57b14d0 100644 --- a/snippets/ztp_example-sno.yaml +++ b/snippets/ztp_example-sno.yaml @@ -40,7 +40,7 @@ spec: # These example cluster labels correspond to the bindingRules in the PolicyGenTemplate examples du-profile: "latest" # These example cluster labels correspond to the bindingRules in the PolicyGenTemplate examples in ../policygentemplates: - # ../policygentemplates/common-ranGen.yaml will apply to all clusters with 'common: true' + # ../acmpolicygenerator/common-ranGen.yaml will apply to all clusters with 'common: true' common: true # ../policygentemplates/group-du-sno-ranGen.yaml will apply to all clusters with 'group-du-sno: ""' group-du-sno: ""