Deploying Apica Ascent with OpenShift

This document provides a comprehensive guide on setting up, configuring, and managing Ascent in OpenSh

Creating a Red Hat OpenShift Cluster on AWS with ROSA

This guide walks you through the process of setting up an OpenShift cluster on AWS using the Red Hat OpenShift Service on AWS (ROSA). You'll need to create an account on Red Hat, configure AWS CLI and ROSA CLI, and set up roles and networking for the cluster. Once the setup is done, you'll be able to deploy Helm charts to your cluster.

Prerequisites

Linux Environment: ROSA CLI works only on Linux.
Red Hat Account: Required for accessing the OpenShift Console.
AWS Account: Required to create and manage OpenShift clusters on AWS.
AWS CLI and ROSA CLI: Required for interacting with AWS and ROSA.

Steps for Creating an OpenShift Cluster on AWS

1. Create an Account on Red Hat Console

Visit Red Hat Console: Navigate to Red Hat OpenShift Console.
Create an Account: If you don't already have one, create a Red Hat account by following the instructions on the site.
Login: Once your account is created, log in to the console.

2. Access Cluster List

After logging into the Red Hat Console, navigate to Clusters and check if there are any existing OpenShift clusters.
- If a cluster already exists, proceed to deploy Helm charts.
- If no cluster exists, you will need to create one.

3. Create a Cluster on AWS Using ROSA

Enable OpenShift Services in AWS

Go to the ROSA Getting Started Guide.
Follow the instructions to enable the OpenShift service in your AWS account. This may include linking your AWS account with Red Hat if it hasn't been done already.

Install and Configure AWS CLI

Download AWS CLI: Download and install AWS CLI from AWS CLI Installation.
Configure AWS CLI: Run the following command to configure the AWS CLI with your AWS account credentials:

aws configure

if you sso then use that command to take login and create a profile out of it

Install and Configure ROSA CLI

Download ROSA CLI: Download and install the ROSA CLI (Red Hat OpenShift Service on AWS CLI) by following the ROSA CLI Installation Guide.
Set Up ROSA CLI: Add the ROSA CLI to your system's PATH. Edit your .bashrc or .zshrc file and add the following line:

export PATH=$PATH:/path/to/rosa

Reload the Shell: After modifying the file, reload your shell configuration:

source ~/.bashrc  # or source ~/.zshrc

Get the rosa login command from openshift page and proceed for next steps after the successfull login

Create ROSA Roles in Your AWS Account

Once logged into ROSA, create the necessary roles for your OpenShift cluster in your AWS account:

rosa create account-roles --mode auto

Configure Networking (Optional)

You can either use an existing network (VPC, subnets, etc.) or create a new network for your OpenShift cluster. If creating a new network, set up the following in AWS:

Virtual Private Cloud (VPC)
Subnets
Security groups

Create the OpenShift Cluster

Open the Red Hat OpenShift Console.
Follow the steps in the console to create a new OpenShift cluster:
- Select your region, network, and instance type.
- Configure the cluster (OpenShift version, node configuration, etc.).
Create the final role for your OpenShift cluster to gain access:
```
rosa create cluster --cluster <cluster-name> --region <aws-region>
```

4. Access the OpenShift Cluster 🌟

Once the cluster is successfully created, you can:

Access via Console: Use the URL provided in the ROSA CLI output.
Log in to OpenShift: Use the login credentials provided during cluster creation.

5. Deploy Helm Charts to OpenShift Cluster 🎨

Prerequisites

Kubernetes 1.18, 1.19 or 1.20
Helm 3.2.0+
Dynamic PV provisioner support in the underlying infrastructure

Install Helm 🔨

Follow the instructions in the Helm Installation Guide to install Helm on your local machine.

Log in to the OpenShift Cluster 🔐

install oci-client in openshift console create htpasswd login creds to get access into your local Log into your OpenShift cluster using the oc login command:

oc login <cluster-api-endpoint-url> -u <username> -p <password>

Deploy a Helm Chart 📦

1. List Existing Projects

View the current projects in your OpenShift cluster:

oc get projects

2. Create a Namespace for Apica

Create a namespace (project) for the Apica deployment:

oc create namespace <namespace>

Replace <namespace> with the desired name for your namespace.

3. Set the Context to the Namespace

Switch to the newly created namespace:

oc project <namespace>

This ensures that all subsequent commands are executed within the specified namespace.

4. Deploy the Apica Helm Chart

Install the Helm chart for Apica:

Use the helm install command to deploy a Helm chart. Replace the placeholders with your actual values

helm install <release-name> --namespace <namespace> \
--set global.domain=<domain-name> \
--set ingress.tlsEnabled=true \
--set kubernetes-ingress.controller.defaultTLSSecret.enabled=true \
--set global.persistence.storageClass=<storage-class-name> -f values.yaml <chart-repo>/<chart-name>

Example:

helm install apica-release --namespace apica-namespace \
--set global.domain=example.com \
--set ingress.tlsEnabled=true \
--set kubernetes-ingress.controller.defaultTLSSecret.enabled=true \
--set global.persistence.storageClass=<storage-class-name> apica-chart-repo/apica-chart

5. Configure Service Accounts

List Service Accounts

Retrieve the service accounts created in the namespace:

oc get serviceaccounts -n <namespace>

Example Service Accounts Created:

kube-state-metrics
kubernetes-ingress-backend
node-exporter
prometheus-alertmanager
prometheus-operator
prometheus-prometheus
thanos-bucketweb
thanos-compactor
thanos-query
thanos-receive
thanos-ruler
thanos-storegateway
deployer
flash-coffee
flash-discovery
ingress-nginx
logiq-flash
logiqctl
postgres
redis
s3-gateway
s3-gateway-job
s3-gateway-update-prometheus-secret

6. Assign Privileges to Service Accounts

Service accounts may require elevated permissions to perform specific operations, such as creating pods. Assign the privileged Security Context Constraints (SCC) to the necessary service accounts.

Grant SCC to a Single Service Account

Use this command to assign the privileged SCC to a service account:

oc adm policy add-scc-to-user privileged -z <service-account> -n <namespace>

Automate SCC Assignment for Multiple Service Accounts

Use the following script to grant the privileged SCC to multiple service accounts:

for sa in kube-state-metrics \
          kubernetes-ingress-backend \
          node-exporter \
          prometheus-alertmanager \
          prometheus-operator \
          prometheus-prometheus \
          thanos-bucketweb \
          thanos-compactor \
          thanos-query \
          thanos-receive \
          thanos-ruler \
          thanos-storegateway \
          deployer \
          flash-coffee \
          flash-discovery \
          ingress-nginx \
          logiq-flash \
          logiqctl \
          postgres \
          redis \
          s3-gateway \
          s3-gateway-job \
          s3-gateway-update-prometheus-secret
  do
    oc adm policy add-scc-to-user privileged -z $sa -n <namespace>
  done

Verify SCC Permissions

To confirm the assigned permissions, run:

oc describe sa <service-account> -n <namespace>

Notes

Replace privileged with a different SCC if less permissive access is sufficient.
Ensure the namespace and service accounts exist before assigning SCCs.

Important Notes:

The Node Exporter component is not deployed by default because the required port is busy. To resolve this, set the port to 9101 during deployment.
Go to openshift console and open daemonset of node exporter > check the pod status > if its not running open the yaml file update the port to 9101 and save it
Ensure these commands are executed after the Helm installation, either as part of the helm install command or separately.
once its deployed update the cert in secret kubernetes-ingress-default-cert
Go to openshift console > project > secrets > replace the original secret key and cert > save it

Additional Resources

OpenShift Documentation: Security Context Constraints
Helm Documentation: Helm Charts

This guide provides the necessary steps for deploying Apica on OpenShift.

Verify the Deployment 🛡️

After deploying the Helm chart, verify the installation:

helm list -n <namespace>

Check the status of your pods:

oc get pods -n <namespace>

Summary of Key Commands 📜

AWS CLI Configuration

aws configure

ROSA CLI Commands

rosa login
rosa create account-roles --mode auto
rosa create cluster --cluster <cluster-name> --region <aws-region>

OpenShift Commands

oc login <cluster-url> -u <username> -p <password>
oc get pods -n <namespace>

Helm Commands

helm install <release-name> --namespace <namespace> \
--set global.domain=<domain-name> \
--set ingress.tlsEnabled=true \
--set kubernetes-ingress.controller.defaultTLSSecret.enabled=true \
--set global.persistence.storageClass=<storage-class-name> <chart-repo>/<chart-name>
helm list -n <namespace>

Last updated 1 year ago

Was this helpful?

hashtagCreating a Red Hat OpenShift Cluster on AWS with ROSA

hashtagPrerequisites

hashtagSteps for Creating an OpenShift Cluster on AWS

hashtag1. Create an Account on Red Hat Console

hashtag2. Access Cluster List

hashtag3. Create a Cluster on AWS Using ROSA

hashtag4. Access the OpenShift Cluster 🌟

hashtag5. Deploy Helm Charts to OpenShift Cluster 🎨

hashtag1. List Existing Projects

hashtag2. Create a Namespace for Apica

hashtag3. Set the Context to the Namespace

hashtag4. Deploy the Apica Helm Chart

hashtag5. Configure Service Accounts

hashtagList Service Accounts

hashtagExample Service Accounts Created:

hashtag6. Assign Privileges to Service Accounts

hashtagGrant SCC to a Single Service Account

hashtagAutomate SCC Assignment for Multiple Service Accounts

hashtagVerify SCC Permissions

hashtagNotes

hashtagImportant Notes:

hashtagAdditional Resources

hashtagSummary of Key Commands 📜

hashtagAWS CLI Configuration

hashtagROSA CLI Commands

hashtagOpenShift Commands

hashtagHelm Commands