From 26578f658d5c60f69266d31302dce3bfef7976c2 Mon Sep 17 00:00:00 2001 From: chrisjsimpson Date: Fri, 9 Sep 2022 19:18:07 +0100 Subject: [PATCH 1/4] #6 wip adding openshift deployment --- .gitignore | 1 + README.md | 6 +++ openshift/README.md | 91 ++++++++++----------------------------------- 3 files changed, 26 insertions(+), 72 deletions(-) diff --git a/.gitignore b/.gitignore index 68d2a46..5058e91 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ docs/venv +OBP-API diff --git a/README.md b/README.md index 723912e..9b78090 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,11 @@ # Kubernetes Build (local development) + +## Target environments + +- [Openshift](openshift) +- Kubernetes (see below) + For running locally, install https://microk8s.io/docs/. Otherwise, use a kubernetes provider (Google Cloud, OpenShift etc) diff --git a/openshift/README.md b/openshift/README.md index f8bfae3..d06aa64 100644 --- a/openshift/README.md +++ b/openshift/README.md @@ -1,94 +1,41 @@ -# Minishift set-up (rebranded minikube) +# Deploy OpenBankProject on Openshift -- Install minishift (https://docs.okd.io/latest/minishift/getting-started/index.html) +## Local development environment -``` -minishift start -``` +Tools required: +- `crc` ([Download & install crc](https://github.com/code-ready/crc/releases)) -### View console -``` -minishift console -``` - -### oc Env (rebranded kubectl) -``` -eval $(minishift oc-env) -``` +Start `crc` -### Import the template - -Openshift `oc apply` command does **not** appear to automatically run your -manifest because `obpapi_openshift.yaml` is a template object. -After running this command you must use `oc new-app` to actually run the -template. This is confusing because with vanilla kubernetes kubectl would run -the manifest. An openshift template is similar (but not the same) as a Helm -cart if you're familiar with helm. -``` -oc apply -f obpapi_openshift.yaml -``` -Now run the template as a new app: ``` -oc new-app obp-api-example # App name comes from the template name in yaml file. -``` - -Add a route for the service: -``` - -oc expose svc/obpapi-service +crc setup +crc start ``` -See if it works: +Enable podman: - -### Seed the sandbox: Deploy a bootstrap pod - -We have a bootstrap node which creates an initial user for you automatically. -This user can then be promoted to a super admin, and used to import demo data. - -``` -oc apply -f ../../obp-boostrap-user/bootstrap.yaml # Deploy bootstrap node -``` - -Get boostrap.yaml, and edit the `env` file: - -- username -- password - -The password policy is very strict. Install will fail if too weak. +> This sets-up podman to 'speak' to your local openshift cluster *rather* than your host machine. ``` -wget https://raw.githubusercontent.com/chrisjsimpson/obp-kubernetes/master/bootstrap.yaml +eval $(crc podman-env) ``` +> **Warning** +> If you see "error did not resolve to an alias and no unqualified-search registries are defined" +> Then edit `/etc/containers/registries.conf` and add/uncomment to your prefered registry e.g. `'unqualified-search-registries = ["docker.io"]` [ref: podman no longer searched dockerhub error](https://unix.stackexchange.com/questions/701784/podman-no-longer-searches-dockerhub-error-short-name-did-not-resolve-to-an)) +### Clone OBP-API & build `obp-api` image +> **Warning** +> Work in progress. This clone url is subject to change to the [official repo](https://github.com/OpenBankProject/OBP-API.git) ------------------Old------------------ -### Docker env -``` -eval $(minishift docker-env) -oc login # username developer, password password -docker login -u developer -p $(oc whoami -t) $(minishift openshift registry) -``` - -### Local Docker registry build and push -``` -eval $(minishift oc-env) -eval $(minishift docker-env) -oc login -docker login -u developer -p $(oc whoami -t) $(minishift openshift registry) -docker built -t test . -docker tag test $(minishift openshift registry)/myproject/test -docker push $(minishift openshift registry)/myproject/test - -# 'Deploy' as new app -oc new-app myproject/test ``` -**Note** The 'myproject' tag is needed for minishift docker push to work, otherwise you wil see `unauthorized: authentication required`. +git clone https://github.com/KarmaComputing/OBP-API.git +cd OBP-API +``` \ No newline at end of file From a7c7b8c8fe4c9a195e1618c0fa0ccb590a7a3890 Mon Sep 17 00:00:00 2001 From: chrisjsimpson Date: Sun, 2 Oct 2022 01:21:21 +0100 Subject: [PATCH 2/4] #6 valid OBP quickstart working no openshift & k8s --- openshift/obpapi_openshift.yaml | 300 +++++++++++++++++--------------- 1 file changed, 162 insertions(+), 138 deletions(-) diff --git a/openshift/obpapi_openshift.yaml b/openshift/obpapi_openshift.yaml index d6b61f4..1ab8732 100644 --- a/openshift/obpapi_openshift.yaml +++ b/openshift/obpapi_openshift.yaml @@ -1,140 +1,164 @@ -kind: "Template" +apiVersion: apps/v1 +kind: Secret apiVersion: v1 metadata: - name: "obp-api-example" -objects: - - kind: Secret - apiVersion: v1 - metadata: - name: postgres-credentials - type: Opaque - data: - postgres_user: b2JwdXNlcg== #obpuser - postgres_password: b2JwcGFzc3dvcmQ= #obppassword - postgres_db_name: b2JwdXNlcg== #obpuser - postgres_data: L3Zhci9saWIvcG9zdGdyZXNxbC9kYXRhL3BnZGF0YQ== # /var/lib/postgresql/data/pgdata - jdbc_driver: b3JnLnBvc3RncmVzcWwuRHJpdmVy # org.postgresql.Driver - jdbc_url: amRiYzpwb3N0Z3Jlc3FsOi8vcG9zdGdyZXMtc2VydmljZTo1NDMyL29icHVzZXI/dXNlcj1vYnB1c2VyJnBhc3N3b3JkPW9icHBhc3N3b3Jk # jdbc:postgresql://postgres-service:5432/obpuser?user=obpuser&password=obppassword - - kind: PersistentVolumeClaim - apiVersion: v1 - metadata: - name: postgres-volume-claim - spec: - accessModes: - - ReadWriteOnce - volumeMode: Filesystem - resources: - requests: - storage: 5Gi - - kind: Service - apiVersion: v1 - metadata: - name: obpapi-service - spec: - selector: - app: obpapi - ports: - - name: http - protocol: TCP - port: 80 - targetPort: 8080 - type: LoadBalancer - - kind: Deployment - apiVersion: apps/v1 - metadata: - name: obp-deployment - labels: - app: obpapi - spec: - replicas: 1 - selector: - matchLabels: - app: obpapi - template: - metadata: - labels: - app: obpapi - spec: - containers: - - name: obpapi - image: openbankproject/obp-api # docker build -t obpapi-kube . - resources: - requests: - memory: "1200Mi" - env: - - name: OBP_DB_DRIVER - valueFrom: - secretKeyRef: - name: postgres-credentials - key: jdbc_driver - - name: OBP_DB_URL - valueFrom: - secretKeyRef: - name: postgres-credentials - key: jdbc_url - ports: - - containerPort: 8080 - name: http - - kind: Service - apiVersion: v1 - metadata: - name: postgres-service - spec: - selector: - app: postgres - ports: - - protocol: TCP - port: 5432 - targetPort: 5432 - - kind: Deployment - apiVersion: apps/v1 - metadata: - name: postgres - labels: - app: postgres - spec: - replicas: 1 - selector: - matchLabels: - app: postgres - template: - metadata: - labels: - app: postgres - spec: - containers: - - name: postgres - image: centos/postgresql-10-centos7 - resources: - requests: - memory: "200Mi" - env: - - name: POSTGRESQL_USER - valueFrom: - secretKeyRef: - name: postgres-credentials - key: postgres_user - - name: POSTGRESQL_PASSWORD - valueFrom: - secretKeyRef: - name: postgres-credentials - key: postgres_password - - name: POSTGRESQL_DATABASE - valueFrom: - secretKeyRef: - name: postgres-credentials - key: postgres_db_name - - name: PGDATA - valueFrom: - secretKeyRef: - name: postgres-credentials - key: postgres_data - volumeMounts: - - name: postgres-volume - mountPath: "/var/lib/postgresql/data" - ports: - - containerPort: 5432 - volumes: - - name: postgres-volume - persistentVolumeClaim: - claimName: postgres-volume-claim + name: postgres-credentials +type: Opaque +data: + # Don't commit real credentials, instead interpolate secrets + # during the CI/CD process as a minimum. + postgres_user: b2JwdXNlcg== #obpuser + postgres_password: b2JwcGFzc3dvcmQ= #obppassword + postgres_db_name: b2JwdXNlcg== #obpuser + postgres_data: L3Zhci9saWIvcG9zdGdyZXNxbC9kYXRhL3BnZGF0YQ== # /var/lib/postgresql/data/pgdata + jdbc_driver: b3JnLnBvc3RncmVzcWwuRHJpdmVy # org.postgresql.Driver + jdbc_url: amRiYzpwb3N0Z3Jlc3FsOi8vcG9zdGdyZXMtc2VydmljZTo1NDMyL29icHVzZXI/dXNlcj1vYnB1c2VyJnBhc3N3b3JkPW9icHBhc3N3b3Jk # jdbc:postgresql://postgres-service:5432/obpuser?user=obpuser&password=obppassword + +--- + +apiVersion: v1 +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: postgres-volume-claim +spec: + accessModes: + - ReadWriteOnce + volumeMode: Filesystem + persistentVolumeReclaimPolicy: Retain + resources: + requests: + storage: 5Gi + +--- +apiVersion: v1 +kind: Service +apiVersion: v1 +metadata: + name: obpapi-service +spec: + selector: + app: obpapi + ports: + - name: http + protocol: TCP + port: 80 + targetPort: 8080 + type: LoadBalancer +--- + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: obp-deployment + labels: + app: obpapi +spec: + replicas: 1 + selector: + matchLabels: + app: obpapi + template: + metadata: + labels: + app: obpapi + spec: + containers: + - name: obpapi + #image: openbankproject/obp-api # docker build -t obpapi-kube . + image: index.docker.io/chrisjsimpson/obpapi-kube + resources: + requests: + memory: "700Mi" + env: + - name: OBP_DB_DRIVER + valueFrom: + secretKeyRef: + name: postgres-credentials + key: jdbc_driver + - name: OBP_DB_URL + valueFrom: + secretKeyRef: + name: postgres-credentials + key: jdbc_url + - name: DB_DRIVER + valueFrom: + secretKeyRef: + name: postgres-credentials + key: jdbc_driver + - name: DB_URL + valueFrom: + secretKeyRef: + name: postgres-credentials + key: jdbc_url + ports: + - containerPort: 8080 + name: http +--- + +apiVersion: v1 +kind: Service +metadata: + name: postgres-service +spec: + selector: + app: postgres + ports: + - protocol: TCP + port: 5432 + targetPort: 5432 +--- + +apiVersion: apps/v1 +kind: Deployment + +metadata: + name: postgres + labels: + app: postgres +spec: + replicas: 1 + selector: + matchLabels: + app: postgres + template: + metadata: + labels: + app: postgres + spec: + containers: + - name: postgres + image: centos/postgresql-10-centos7 + resources: + requests: + memory: "200Mi" + env: + - name: POSTGRESQL_USER + valueFrom: + secretKeyRef: + name: postgres-credentials + key: postgres_user + - name: POSTGRESQL_PASSWORD + valueFrom: + secretKeyRef: + name: postgres-credentials + key: postgres_password + - name: POSTGRESQL_DATABASE + valueFrom: + secretKeyRef: + name: postgres-credentials + key: postgres_db_name + - name: PGDATA + valueFrom: + secretKeyRef: + name: postgres-credentials + key: postgres_data + volumeMounts: + - name: postgres-volume + mountPath: "/var/lib/postgresql/data" + ports: + - containerPort: 5432 + volumes: + - name: postgres-volume + persistentVolumeClaim: + claimName: postgres-volume-claim From ef3bf965a3d5cfbcbae522e7e92da5871ec39452 Mon Sep 17 00:00:00 2001 From: chrisjsimpson Date: Sun, 2 Oct 2022 01:24:21 +0100 Subject: [PATCH 3/4] #6 Renamed obpapi_openshift.yaml -> obp.yaml since they are compatible regardlress of cluster vendor now, for mow --- openshift/{obpapi_openshift.yaml => obp.yaml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename openshift/{obpapi_openshift.yaml => obp.yaml} (100%) diff --git a/openshift/obpapi_openshift.yaml b/openshift/obp.yaml similarity index 100% rename from openshift/obpapi_openshift.yaml rename to openshift/obp.yaml From d15026a9f69f7b6084d092dd066d0194324bd7fa Mon Sep 17 00:00:00 2001 From: chrisjsimpson Date: Sun, 2 Oct 2022 01:41:32 +0100 Subject: [PATCH 4/4] #6 Document openshift login & OBP deployment quickstart --- openshift/README.md | 67 +++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 65 insertions(+), 2 deletions(-) diff --git a/openshift/README.md b/openshift/README.md index d06aa64..8f6d65c 100644 --- a/openshift/README.md +++ b/openshift/README.md @@ -1,7 +1,70 @@ # Deploy OpenBankProject on Openshift -## Local development environment +## Openshift hosted cluster + +- [How to login to openshift using the `oc` CLI](#login-to-openshift-using-oc-cli) +- [Deploy OBP-API to your OpenShift Cluster](#deploy-obp-api-to-your-openshift-cluster) +- [Deploy OBP API to your local development environment](#deploy-obp-api-to-your-local-development-environment) + + +### Login to Openshift using `oc` CLI + +Objective: When you type "`oc get pods`" you get back some or no pods. If your cluster is new, you will see "`No resources found in namespace`" +For that to work, configure your terminal to use `oc` CLI against your Openshift cluster. The UI it not intuitive at all so here's the instructions: + +1. Login to your web cluster to get your authentication key (e.g. onsole-openshift-console.apps.sandbox-m2.abc123.p1.openshiftapps.com) +2. Click the '?' then "Command line tools", then "Copy login command" + +> Verbose cli login details: To log in using the CLI, collect your token from the web console’s Command Line page, which is accessed from Command Line Tools in the Help menu. The token is hidden, so you must click the copy to clipboard button at the end of the oc login line on the Command Line Tools page, then paste the copied contents to show the token. [Official docs](https://docs.openshift.com/container-platform/3.11/cli_reference/get_started_cli.html#cli-reference-get-started-cli) + +### Errors: random uuid + +tldr: + +1. Fix containers uuid handling using [this example](https://github.com/chrisjsimpson/obp-kubernetes/blob/openshiftcompatibility/entrypoint.sh#L1-L13). +2. See [fully working obp-api openshift container](index.docker.io/chrisjsimpson/obpapi-kube) example +3. Historical context see: [Building Non Root Docker Images OpenShift](https://blog.karmacomputing.co.uk/building-non-root-docker-images-openshift/), and [Openshift will not run your container as a root user](https://number1.co.za/openshift-will-not-run-your-container-as-a-root-user/) + + +Detail: + +The current OBP-API docker images will not run on Openshift deployed custers. An example image which does is available at: +[dockerhub](index.docker.io/chrisjsimpson/obpapi-kube), and the [code reference which handles the random uid scenario in OpenShift clusters](https://github.com/chrisjsimpson/obp-kubernetes/blob/openshiftcompatibility/entrypoint.sh#L1-L13). + + + +``` + OBP openshift ATM Postgress curl (time sink: cluster registry permissions/access) undocumented use of generate-jetty-start.sh in unknown repo, perhaps refers to image: index.docker.io/tawoe/obp-api however the tags are undocumented (tag "hw" exists and is most recently modified but no information, "lastest" tag is 9 days go) Neither will run on a production Openshift cluster chrisjsimpson/obpapi-kube will. + + +******************************************************************** +WARNING: User is 1012560000 + The user should be (re)set to 'jetty' in the Dockerfile +******************************************************************** +/generate-jetty-start.sh: 10: cannot create /var/lib/jetty/jetty.start: Permission denied +jetty dry run failed: +``` + +# Deploy OBP-API to your OpenShift Cluster + +1. Ensure your secrets are configured as intended (see `obp.yaml`) +2. Apply the OBP manifest(s) to your k8s cluster + +A quickstart valid OBP-API deployment manifest is provided: + +``` +oc apply -f obp.yaml +``` + +Validate: + +``` +oc get pods +``` + + +# Deploy OBP API to your local development environment Tools required: @@ -38,4 +101,4 @@ eval $(crc podman-env) ``` git clone https://github.com/KarmaComputing/OBP-API.git cd OBP-API -``` \ No newline at end of file +```