Red Hat OpenShift Administration III: Scaling Deployments in the Enterprise

Instructions

Your cluster had downtime. During incident analysis, system administrators discovered changes to the cluster without proper documentation.

Your organization wants to implement an audit track for changes to the cluster. You decide to experiment with Red Hat OpenShift GitOps to achieve this objective.

Your experiment is to create a test cluster, install OpenShift GitOps, and perform some administrative changes to the test cluster. You test installing and using an operator, and patching existing resources.

1. As the admin user, locate and then navigate to the Red Hat OpenShift web console.

   1. Use the terminal to log in to the OpenShift cluster as the admin user with redhatocp as the password.

      [student@workstation ~]$ oc login -u admin -p redhatocp \
        https://api.ocp4.example.com:6443
      ...output omitted...

   2. Identify the URL for the OpenShift web console.

      [student@workstation ~]$ oc whoami --show-console
      https://console-openshift-console.apps.ocp4.example.com

   3. Open a web browser and navigate to https://console-openshift-console.apps.ocp4.example.com. Either type the URL in a web browser, or right-click and select Open Link from the terminal.

   4. Click Red Hat Identity Management and log in as the admin user with redhatocp as the password.

2. Install the OpenShift GitOps operator from OperatorHub.

   1. Navigate to Operators → OperatorHub.

   2. Click Red Hat OpenShift GitOps, and then click Install.

   3. Review the default configuration and click Install. The Operator Lifecycle Manager (OLM) can take a few minutes to install the operator. Click View Operator to navigate to the operator details.

   4. Open a separate tab and open the default Argo CD instance. You can use the application menu, which is the grid icon on the top navigation bar, by clicking Cluster Argo CD. You can also use the https://openshift-gitops-server-openshift-gitops.apps.ocp4.example.com URL.

      The browser displays a warning because Argo CD uses a self-signed certificate. Argo CD might take a few minutes before starting to handle requests.

3. Disconnect the default instance from the operator so the operator does not revert changes to the instance.

   If you use the web console for this operation, then click the Argo CD tab to display the default openshift-gitops Argo CD instance in the openshift-gitops namespace. Click the name of the instance, and then click the YAML tab to display the resource editor. Perform the modifications that are described later, and then click Save.

   If you use the terminal for this operation, then run the following command:

   [student@workstation ~]$ oc edit -n openshift-gitops argocd openshift-gitops

   Remove the ownerReferences key from the metadata key in the resource, and save your changes. The resulting resource definition should resemble this extract:

   apiVersion: argoproj.io/v1alpha1
   kind: ArgoCD
   metadata:
     creationTimestamp: "2023-11-29T18:47:29Z"
     finalizers:
     - argoproj.io/finalizer
     generation: 1
     name: openshift-gitops
     namespace: openshift-gitops
     resourceVersion: "398331"
     uid: 00778335-f7d8-457d-92c2-121cd13f5d26
   spec:
     applicationSet:
   ...output omitted...

4. For the route of the default instance, change the termination type to the reencrypt type. Edit the Argo CD resource to match the following example:

   apiVersion: argoproj.io/v1alpha1
   kind: ArgoCD
   metadata:
   ...output omitted...
   spec:
   ...output omitted...
     server:
   ...output omitted...
       route:
         enabled: true
         tls:
           termination: reencrypt
   ...output omitted...

   Reload the Argo CD browser tab. Instead of the certificate warning, the Argo CD login page is shown.

5. Grant administrator rights to the ocpadmins group.

   1. Edit the Argo CD resource to match the following example:

      apiVersion: argoproj.io/v1alpha1
      kind: ArgoCD
      metadata:
      ...output omitted...
      spec:
      ...output omitted...
        prometheus:
          enabled: false
          ingress:
            enabled: false
          route:
            enabled: false
        rbac:
          policy: |
            g, ocpadmins, role:admin
          scopes: '[groups]'
        redis:
      ...output omitted...

6. Configure the default instance to trust the cluster certificate authority. Argo CD accesses only trusted repositories.

   1. Create a cluster-root-ca-bundle configuration map in the openshift-gitops namespace.

      [student@workstation ~]$ oc create configmap -n openshift-gitops \
        cluster-root-ca-bundle

   2. Add the config.openshift.io/inject-trusted-cabundle label to the configuration map with the true value. OpenShift injects the bundle with the cluster certificate authority into the configuration maps with this label. This bundle contains the signing certificate for the classroom GitLab instance.

      [student@workstation ~]$ oc label configmap -n openshift-gitops \
        cluster-root-ca-bundle config.openshift.io/inject-trusted-cabundle=true
      configmap/cluster-root-ca-bundle labeled

   3. Edit the Argo CD default instance to inject the bundle.

      You can use the following command to edit the resource:

      [student@workstation ~]$ oc edit argocd -n openshift-gitops openshift-gitops

      Edit the resource to mount the ca-bundle.crt file in the configuration map to the /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem path of the repository server container.

      ...output omitted...
      spec:
      ...output omitted...
        repo:
          resources:
            limits:
              cpu: "1"
              memory: 1Gi
            requests:
              cpu: 250m
              memory: 256Mi
          volumeMounts:
          - mountPath: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
            name: cluster-root-ca-bundle
            subPath: ca-bundle.crt
          volumes:
          - configMap:
              name: cluster-root-ca-bundle
            name: cluster-root-ca-bundle
        resourceExclusions: |
      ...output omitted...

7. Create a public repository in the classroom GitLab.

   1. Open a web browser and navigate to https://git.ocp4.example.com. Log in as the developer user with d3v3lop3r as the password.

   2. Click New project, and then click Create blank project. Use gitops-admin as the project slug (repository name), select the Public visibility level, and use the default values for all other fields. Click Create project.

8. Populate the repository.

   1. Click Clone, and then copy the https://git.ocp4.example.com/developer/gitops-admin.git HTTPS URL.

   2. Change to the DO380/labs/gitops-admin/ directory.

      [student@workstation ~]$ cd DO380/labs/gitops-admin

   3. In a terminal, run the following command to clone the new repository.

      [student@workstation gitops-admin]$ git clone \
        https://git.ocp4.example.com/developer/gitops-admin.git
      Cloning into 'gitops-admin'...
      ...output omitted...

   4. Change to the cloned repository directory.

      [student@workstation gitops-admin]$ cd gitops-admin

      The default configuration for new repositories adds a README.md initial file.

   5. Copy the provided operator.yaml file to the repository.

      [student@workstation gitops-admin]$ cp ../operator.yaml .

   6. Examine the file and edit the file to match the following text:

      apiVersion: v1
      kind: Namespace
      metadata:
        name: openshift-compliance
      ---
      apiVersion: operators.coreos.com/v1
      kind: OperatorGroup
      ...output omitted...
      ---
      apiVersion: operators.coreos.com/v1alpha1
      kind: Subscription
      metadata:
        name: compliance-operator
      ...output omitted...
      ---
      apiVersion: compliance.openshift.io/v1alpha1
      profiles:
        - apiGroup: compliance.openshift.io/v1alpha1
          name: rhcos4-moderate
          kind: Profile
      settingsRef:
        apiGroup: compliance.openshift.io/v1alpha1
        name: default
        kind: ScanSetting
      kind: ScanSettingBinding
      metadata:
        name: nist-moderate
        namespace: openshift-compliance
        annotations:
          argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
          argocd.argoproj.io/sync-wave: "1"

      The file contains manifests to install the compliance operator, with the namespace, operator group, and subscription.

      The file also contains a scan setting binding. The compliance operator examines scan setting bindings and scans the cluster after they are defined.

      Because scan setting bindings are custom resources that the compliance operator installs, you must use extra configuration so that Argo CD can create the resource correctly:

      • The dry run must be skipped, because when the Argo CD application is created, the custom resource definition does not exist, so the Argo CD validation would fail.

      • The scan setting binding must be created after the custom resource definition exists. To delay the creation, you specify that the scan setting binding is created in a sync wave after the default sync wave. However, due to the Kubernetes use of eventual consistency, later you also configure retries for the application deployment to prevent further issues.

   7. Add the operator.yaml file to the Git index.

      [student@workstation gitops-admin]$ git add operator.yaml

   8. Commit the changes.

      [student@workstation gitops-admin]$ git commit -m "Add compliance manifests"
      [main 6785970] Add compliance manifests
      ...output omitted...

   9. Push the changes to the repository. Use the developer user with d3v3lop3r as the password.

      [student@workstation gitops-admin]$ git push
      ...output omitted...

9. Log in to the Argo CD web console as the admin user.

   1. Go back to the Argo CD browser tab.

   2. Click LOG IN VIA OPENSHIFT, and then click Red Hat Identity Management. Log in as the admin user with redhatocp as the password, and then allow the user:info permission.

10. Create an application with the repository and observe the results.

    1. Click CREATE APPLICATION.

    2. Create an application with the information in the following table:

       Field	Value
       Application Name	gitops-admin
       Project Name	default
       Retry	Checked
       Repository URL	https://git.ocp4.example.com/developer/gitops-admin.git
       Path	.
       Cluster URL	https://kubernetes.default.svc

       Then, click CREATE.

11. Synchronize the application.

    1. Click gitops-admin to view the application.

    2. Click SYNC to display the synchronization panel, and then click SYNCHRONIZE.

       Argo CD starts synchronizing the application. After about one minute, the console shows the compliance operator as synchronized and healthy.

       If you wait about four minutes, then the compliance operator scans and creates a compliance suite custom resource.

       You can display the results of the scan from Argo CD by clicking the nist-moderate compliance suite. The compliance suite is in the done phase, with the non-compliant result.

       You can also monitor the progress of the scan by running the watch oc get compliancesuite -A command.

       Note

       The many resources that the application tracks can cause the Argo CD web console to become unstable. If the web console does not respond, then you can close the browser tab and reopen the Argo CD web console.

       Collapsing the resources in the Argo CD web console can help with exploring the resources.

12. Customize the OpenShift console.

    1. Copy the provided console.yaml file to the repository.

       [student@workstation gitops-admin]$ cp ../console.yaml .

    2. Edit the file to match the following text:

       apiVersion: operator.openshift.io/v1
       kind: Console
       metadata:
         name: cluster
         annotations:
           argocd.argoproj.io/sync-options: ServerSideApply=true,Validate=false
       spec:
         customization:
           customProductName: Production

       Because the cluster console resource exists, this manifest defines only a patch to update the product name. For Argo CD to patch the resource, you must use an annotation. Because some patches can be valid resources, but other patches can be invalid resources, disable validation to ensure that patches are not validated as full resources.

    3. Add the console.yaml file to the Git index.

       [student@workstation gitops-admin]$ git add console.yaml

    4. Commit the changes.

       [student@workstation gitops-admin]$ git commit -m "Customize console"
       ...output omitted...

    5. Push the changes to the repository.

       [student@workstation gitops-admin]$ git push
       ...output omitted...

    6. Click SYNC to display the synchronization panel, and then click SYNCHRONIZE.

    7. Reload the OpenShift web console to observe the changes. After you reload the console, the browser tab title ends with the Production text.

13. Change to the /home/student directory.

    [student@workstation gitops-admin]$ cd