Google microservice addition
Install CLI Tools, e.g. on macos via homebrew:
- brew install openshift-cli
- brew install aws-cli
- brew install rosa-cli
→ follow the console.redhat.com instructions
rosa create cluster --cluster-name winkelschleifer --sts --role-arn arn:aws:iam::226507396508:role/ManagedOpenShift-Installer-Role --support-role-arn arn:aws:iam::226507396508:role/ManagedOpenShift-Support-Role --controlplane-iam-role arn:aws:iam::226507396508:role/ManagedOpenShift-ControlPlane-Role --worker-iam-role arn:aws:iam::226507396508:role/ManagedOpenShift-Worker-Role --operator-roles-prefix winkelschleifer-s5c8 --region eu-central-1 --version 4.11.18 --compute-nodes 2 --compute-machine-type m5.xlarge --machine-cidr 10.0.0.0/16 --service-cidr 172.30.0.0/16 --pod-cidr 10.128.0.0/14 --host-prefix 23 --etcd-encryption
Check the cluster status on console.redhat.com You might need to add some details manually:
ROSA installation: https://console-openshift-console.apps.winkelschleifer.wbcq.p1.openshiftapps.com
https://examples.openshift.pub/cluster-configuration/authentication/redhat-sso/
rosa create idp --type=google --client-id=626307336472-mrtf4suln41vs30oop1gbb92qmlb57it.apps.googleusercontent.com --client-secret=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 --mapping-method=claim --hosted-domain=redhat.com --cluster=winkelschleifer --name=Google-RedHat
Add dedicated users which login via Google ID to the local group of cluster admins
rosa grant user dedicated-admin [email protected] --cluster=winkelschleifer
Locally clone the Google project
git clone https://github.com/GoogleCloudPlatform/microservices-demo
The Red Hat OpenShift cluster you create here will be base of our following activities
oc new-project microservices-demo
This is done in order to execute a deployment of Google Code As-Is. Current deployments use the following security contexts - we need to make arrangements that those settings are valid in our cluster too.
To be found in microservices-demo/release/kubernetes-manifest.yaml
securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
Based on this article: https://examples.openshift.pub/deploy/scc-anyuid/
Add the proper Role
oc create -f static/release_security_role.json
Add the related RoleBinding
oc create -f static/release_security_rolebonding.json
And use the original kubernetes manifest
oc apply -f ./release/kubernetes-manifests.yaml
This makes the default OpenShift SCC config work. And we use the As-Is Kubernetes Manifest:
oc apply -f ./release/kubernetes-manifests.yaml
And we run through each of the deploaments in order to fix the security context(s)
for DEPLOY in `oc get deployments -o jsonpath='{range .items[*]}{.metadata.name}{" "}{end}'`
do
oc patch deploy/$DEPLOY --type=json -p='[{"op": "remove", "path": "/spec/template/spec/securityContext"}]'
done
And following Monty Python's Flying Circus .... And now for something completely different
This picture illustrates the flow of things in our Red Hat Openshift environment
- Roles
- OpenShift Administrator [has administrative rights in a cluster (aka cluster admin)]
- OpenShift Developer [Has only limited rights which are mostly restricted to our project]
- Instances
- OpenShift [Kubernetes Management Platform]
- Certificate Authority [CA - we used Let's Encrypt]
- DNS Zone [Administrative access to manage on subdomain level]
- Tasks
- Configuration [Admin tasks prior to the instalation]
- ExternalDNS [Tasks executed by the ExternalDNS Operator]
- Cert-Manager [Tasks executed by the cert-manager Operator]
- Usage [Separated block of activities which are executed and orchestrated by the operators during runtime]
( ExternalDNS, cert-manager, cert-utils)
We see the default Loadbalancers which are deployed by EKS
You will need to add nameserver information in the config in your provider's frontend
And we can now add a Red Hat OpenShift route to your service
oc create route edge winkelschleifer-ingress \
--service frontend --port 8080 \
--namespace microservices-demo \
--hostname shop.winkelschleifer.marina-sport.de \
--insecure-policy=”redirect”
This leads us to the point that we have a route which terminates at our frontend service
And this can be checked as per below command
oc get route
NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD
testit-tls testit.winkelschleifer.marina-sport.de frontend 8080 edge None
winkelschleifer-ingress shop.winkelschleifer.marina-sport.de frontend 8080 edge/Redirect None
