DO380 - ch05s06

Bookmark this page

Guided Exercise: GitOps for Application Management

Deploy an application and its dependencies by using OpenShift GitOps.

Outcomes

Create an Argo CD instance for developers with the appropriate permissions.
Use Argo CD to deploy an application in the cluster.

As the student user on the workstation machine, use the lab command to prepare your environment for this exercise, and to ensure that all required resources are available.

[student@workstation ~]$ lab start gitops-app

Instructions

Your company requires you to create a separate instance of Argo CD in the gitops-app namespace, for a project administration team and a project developer team that must deploy an application.

For the Argo CD instance, the project-admins group has full permissions for Argo CD applications, but only read permission for projects and clusters. For the same instance, the project-devs group has only read permission for Argo CD applications, projects, and clusters. The project-admin user is part of the project-admins group, and the developer user is part of the project-devs group.

The following diagram summarizes the relationship between the components in the exercise:

In this exercise, GitLab is configured with two repositories, one for project administration and one for project developer teams. The repository for the developer user is populated with the necessary files, including a MariaDB database and the Etherpad application. The project-admin user has one empty etherpad-admin repository.

Create the etherpad-devs namespace by using the OpenShift admin user. You must create the application in the etherpad-devs namespace. The Argo CD instance must manage the etherpad-devs namespace. The OpenShift admin user gives administrative access to the etherpad-devs namespace for users in the project-admins group.

The project-admin admin user creates a secret with the credentials for the MariaDB database to be deployed. This setup ensures that the database credentials are not stored in Git; storing in Git could lead to security issues.

At the beginning, the developer user has no permissions on the etherpad-devs namespace. Thus, the project-admin user must upload an RBAC file to the etherpad-admin repository and use Argo CD to give the developer user read permission in the project. Then, the developer user can view logs for troubleshooting if necessary.

Next, the project-admin user creates the MariaDB and Etherpad applications. The project-admin user also creates a PVC for the database backup.

The developer user creates two Argo CD hooks: one pre-synchronization hook that makes a database backup in a separate PVC, and one post-synchronization hook that verifies that the Etherpad application is running.

Finally, the developer user modifies the title for the Etherpad application in the repository and sees how the application is updated in Argo CD.

Create the Argo CD instance in the gitops-app namespace. The Argo CD must trust the classroom certificate.

Connect to the OpenShift cluster as the admin user with redhatocp as the password.

[student@workstation ~]$ oc login -u admin -p redhatocp \
  https://api.ocp4.example.com:6443
Login successful.

You have access to 70 projects, the list has been suppressed. You can list all projects with 'oc projects'

Using project "default".

Change to the gitops-app project.

[student@workstation ~]$ oc project gitops-app
Now using project "gitops-app" on server "https://api.ocp4.example.com:6443".

Create a cluster-root-ca-bundle configuration map in the gitops-app namespace.

[student@workstation ~]$ oc create configmap cluster-root-ca-bundle
configmap/cluster-root-ca-bundle created

Add the config.openshift.io/inject-trusted-cabundle label to the configuration map with the true value. OpenShift injects the bundle with the cluster certificate authority to the configuration maps with this label. This bundle contains the signing certificate for the classroom GitLab instance.
```
[student@workstation ~]$ oc label configmap cluster-root-ca-bundle \
  config.openshift.io/inject-trusted-cabundle=true
configmap/cluster-root-ca-bundle labeled
```

Create the Argo CD instance YAML file. Set the termination type of the route to the reencrypt type. Grant read permission to projects and clusters to the project-admins and project-devs groups. For applications, grant full permissions to the project-admins group, and read permission to the project-devs groups. The Argo CD instance must mount the ca-bundle.crt certificate in the configuration map to the /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem path of the repository server container. You can find an incomplete example for the Argo CD CR in the ~/DO380/labs/gitops-app/argocd-instance.yaml file.

apiVersion: argoproj.io/v1beta1
kind: ArgoCD
metadata:
  name: argocd
  namespace: gitops-app
spec:
  server:
...output omitted...
    route:
      enabled: true
      tls:
        termination: reencrypt
...output omitted...
  rbac:
    defaultPolicy: ''
    policy: |
      g, system:cluster-admins, role:admin
      g, project-devs, role:project-devs
      p, role:project-devs, applications, get, */*, allow
      p, role:project-devs, projects, get, *, allow
      p, role:project-devs, clusters, get, *, allow
      g, project-admins, role:project-admins
      p, role:project-admins, applications, *, */*, allow
      p, role:project-admins, projects, get, *, allow
      p, role:project-admins, clusters, get, *, allow
    scopes: '[groups]'
  repo:
    resources:
      limits:
        cpu: 1000m
        memory: 1024Mi
      requests:
        cpu: 250m
        memory: 256Mi
    volumeMounts:
    - mountPath: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
      name: cluster-root-ca-bundle
      subPath: ca-bundle.crt
    volumes:
    - configMap:
        name: cluster-root-ca-bundle
      name: cluster-root-ca-bundle
...output omitted...

Create the Argo CD instance.

[student@workstation ~]$ oc create -f \
  ~/DO380/labs/gitops-app/argocd-instance.yaml
argocd.argoproj.io/argocd created

Create the etherpad-devs project and label it as managed by the Argo CD instance. Assign administrative permission to users in the project-admins group.

Create the etherpad-devs project.

[student@workstation ~]$ oc new-project etherpad-devs
Now using project "etherpad-devs" on server "https://api.ocp4.example.com:6443".
...output omitted...

Label the etherpad-devs project as managed by the Argo CD instance in the gitops-app project.

[student@workstation ~]$ oc label namespace etherpad-devs \
  argocd.argoproj.io/managed-by=gitops-app
namespace/etherpad-devs labeled

Assign administrative permission to the etherpad-devs project for users in the project-admins group.

[student@workstation ~]$ oc adm policy add-role-to-group admin \
  project-admins -n etherpad-devs
clusterrole.rbac.authorization.k8s.io/admin added: "project-admins"

[student@workstation ~]$ oc login -u developer -p developer
...output omitted...

Verify that the developer user has no access to the etherpad-devs project.

[student@workstation ~]$ oc projects
You are not a member of any projects. You can request a project to be created with the 'new-project' command.

[student@workstation ~]$ oc login -u project-admin -p redhat
...output omitted...

As the project-admin user in OpenShift, create the mariadb secret with the MariaDB database credentials. Create the database-backup persistent volume claim (PVC), for a later step to back up the MariaDB database.
1. Create the mariadb secret YAML file that contains the MariaDB credentials. You can find an incomplete example for the secret in the ~/DO380/labs/gitops-app/secret.yaml file.
```
apiVersion: v1
kind: Secret
metadata:
  name: mariadb
  namespace: etherpad-devs
  labels:
    app: mariadb
stringData:
  MARIADB_DATABASE: etherpad_lite_db
  MARIADB_USER: appuser
  MARIADB_PASSWORD: securepassword
  MARIADB_ROOT_PASSWORD: supersecurepassword
```
2. Create the mariadb secret.
```
[student@workstation ~]$ oc create -f \
  ~/DO380/labs/gitops-app/secret.yaml
secret/mariadb created
```
As the project-admin user, create an RBAC file in the etherpad-admin repository in GitLab to give the developer user read permission in the etherpad-devs project. The project-admin user uses this repository in Argo CD in a later step to give read permission to the developer user.
1. Create the RBAC YAML file to give the developer user read permission in the etherpad-devs project. You can find an incomplete YAML example in the ~/DO380/labs/gitops-app/etherpad-admin/rbac.yaml file.
```
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: developer-view
  namespace: etherpad-devs
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: view
subjects:
- kind: Group
  apiGroup: rbac.authorization.k8s.io
  name: project-devs
```
2. Open a web browser and navigate to https://git.ocp4.example.com. Log in as the project-admin user with r3dh4tgit as the password.
3. Click the etherpad-admin project.
4. Click the Upload File button and then click upload. Select the ~/DO380/labs/gitops-app/etherpad-admin/rbac.yaml file, and then click the Open button. Click Upload file.

Open the Argo CD instance as the project-admin user and create the RBAC rule for the developer user.

Change to the terminal window and log in as the admin user.

[student@workstation ~]$ oc login -u admin -p redhatocp
...output omitted...

Verify the route for the Argo CD instance.

[student@workstation ~]$ oc get route -n gitops-app
NAME            HOST/PORT                                        PATH   ...
argocd-server   argocd-server-gitops-app.apps.ocp4.example.com          ...

Open a web browser tab and navigate to https://argocd-server-gitops-app.apps.ocp4.example.com
Click LOG IN VIA OPENSHIFT and log in as the project-admin user with redhat as the password, by using the Red Hat Identity Management identity provider, and allowing the user:info permission.
Click CREATE APPLICATION.

Create an Argo CD application with the information in the following table:

Field	Value
Application Name	`rbac-rule`
Project Name	`default`
Sync Policy	`Automatic`
Repository URL	`https://git.ocp4.example.com/project-admin/etherpad-admin.git`
Path	`.`
Cluster URL	`https://kubernetes.default.svc`
Namespace	`etherpad-devs`

Then, click CREATE.

Change to the terminal window and log in as the developer user. The developer user has access to the etherpad-devs project.
```
[student@workstation ~]$ oc login -u developer -p developer
...output omitted...
Using project "etherpad-devs".
```

Create the Etherpad application by using the Argo CD instance and verify that it works. The project-admin user creates the application by using the developer user repository. Thus, although the developer user cannot modify the application in Argo CD or in OpenShift, the developer user can change the files in the repository to update the application.

Go back to the Argo CD browser tab.
Click NEW APP.

Create an application with the information in the following table:

Field	Value
Application Name	`etherpad-app`
Project Name	`default`
Sync Policy	`Automatic`
Repository URL	`https://git.ocp4.example.com/developer/etherpad-app.git`
Path	`.`
Cluster URL	`https://kubernetes.default.svc`
Namespace	`etherpad-devs`

Then, click CREATE.

Click etherpad-app to view the application. Argo CD starts synchronizing the application. After about one minute, the console shows the Etherpad application as synchronized and healthy.

Change to the terminal window and get the URL for the Etherpad application. The developer user has read access to the etherpad-devs project in OpenShift.

[student@workstation ~]$ oc get route
NAME       HOST/PORT                                      PATH   ...
etherpad   etherpad-etherpad-devs.apps.ocp4.example.com          ...

Open a web browser tab and navigate to https://etherpad-etherpad-devs.apps.ocp4.example.com to verify that the application is up and running. Notice the DO380 - etherpad title in the tab.

As the developer user in Git, create two Argo CD hooks in the etherpad-app Git repository. The developer user Git credentials are already configured in the classroom environment. The pre-synchronization hook must back up the database in the database-backup PVC. The post-synchronization hook verifies that the Etherpad application is running. Modify the Etherpad application title.

Change to the terminal window, and change to the ~/DO380/labs/gitops-app/etherpad-app/ directory. The Git repository is synchronized to that directory.
```
[student@workstation ~]$ cd ~/DO380/labs/gitops-app/etherpad-app/
```

Copy the provided hook files to the repository.

[student@workstation etherpad-app]$ cp ../hooks/{presync,postsync}.yaml .

Edit the pre-synchronization hook file to match the following text. The pre-synchronization hook uses the mysqldump command to back up the database in the database-backup PVC.
```
apiVersion: batch/v1
kind: Job
metadata:
  generateName: backup-mariadb
  annotations:
    argocd.argoproj.io/hook: PreSync
...output omitted...
```

Edit the post-synchronization hook file to match the following text. The post-synchronization hook uses the curl command to ensure that the Etherpad application is up and running.

apiVersion: batch/v1
kind: Job
metadata:
  generateName: test-etherpad
  annotations:
    argocd.argoproj.io/hook: PostSync
spec:
  template:
    metadata:
      name: test-etherpad
    spec:
      containers:
      - name: test-etherpad
        image: registry.ocp4.example.com:8443/redhattraining/mariadb:10.5
        command: ["curl","-k","-s","https://etherpad-etherpad-devs.apps.ocp4.example.com"]
      restartPolicy: Never
  backoffLimit: 2

Open the etherpad-deployment.yaml file and modify the Etherpad application title.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: etherpad
  labels:
    app.kubernetes.io/name: etherpad
spec:
...output omitted...
    spec:
      securityContext:
        runAsNonRoot: true
        seccompProfile:
          type: RuntimeDefault
      containers:
        - env:
          - name: TITLE
            value: My test Etherpad app
...output omitted...

Add the hook and deployment files to the Git index.

[student@workstation etherpad-app]$ git add presync.yaml postsync.yaml \
  etherpad-deployment.yaml

Commit the changes.

[student@workstation etherpad-app]$ git commit -m \
  "Add synchronization hooks and change title"
...output omitted...

Push the changes to the repository.

[student@workstation etherpad-app]$ git push
...output omitted...

As the developer user in Argo CD, verify that the application is updated to the last repository version with the two hooks.
1. Change to the Argo CD browser tab and click Log out.
2. Click LOG IN VIA OPENSHIFT and log in as the developer user with developer as the password, by using the Red Hat Identity Management identity provider, and allowing the user:info permission.
3. Click etherpad-app to view the application.
4. Argo CD automatically detects the changes in the repository and starts synchronizing the application.
  Note
  The Argo CD automatic synchronization interval is set to 3 minutes by default. Thus, if the last synchronization does not match the last commit, then you can click REFRESH so Argo CD detects the changes.
  If the Argo CD application is in the Syncing stage, then wait until Argo CD finishes synchronizing it.
5. Verify that Argo CD creates the backup-mariadb and test-etherpad jobs according to the hooks. To inspect the logs for the hooks, click the job name and then click LOGS. The backup-mariadb pre-synchronization hook connects to and backs up the MariaDB database in the database-backup PVC. The test-etherpad post-synchronization hook uses the curl command to verify that the Etherpad application is up and running.
6. Change to the terminal window and log in as the project-admin user.
```
[student@workstation etherpad-app]$ oc login -u project-admin -p redhat
...output omitted...
```
7. Create a pod to inspect the contents of the database-backup PVC. You can use the ~/DO380/labs/gitops-app/backup-inspector.yaml file for this purpose.
```
[student@workstation etherpad-app]$ oc create -f ../backup-inspector.yaml
pod/backup-inspector created
```
8. Wait until the backup-inspector pod is running and open a remote shell on it.
```
[student@workstation etherpad-app]$ oc rsh backup-inspector
```
9. Review the contents of the external-data directory. The pre-synchronization hook creates a database backup every time that the application is updated to a new version.
```
sh-5.1$ ls /external-data/
database-backup-files-202312201021  lost+found
```
10. Close the remote shell.
```
sh-5.1$ exit
```
11. Remove the backup-inspector pod.
```
[student@workstation etherpad-app]$ oc delete pod backup-inspector
pod "backup-inspector" deleted
```
12. Change to the Etherpad web browser tab and reload it. The tab title must change to My test Etherpad app.
Close the web browser and change to the /home/student directory in the terminal window.
```
[student@workstation etherpad-app]$ cd
```

Finish

On the workstation machine, use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish gitops-app

Discuss Red Hat OpenShift Administration III: Scaling Deployments in the Enterprise

Go to community

Welcome to Red Hat OpenShift Administration III: Scaling Kubernetes Deployments in the Enterprise!

Syed

12 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat OpenShift Administration III: Scaling Kubernetes Deployments in the Enterprise! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to DO378.Read more about Red Hat OpenShift Administration III: Scaling Kubernetes Deployments in the Enterprise here.

Revision: do380-4.14-397a507

Red Hat OpenShift Administration III: Scaling Deployments in the Enterprise

Guided Exercise: GitOps for Application Management

Note