When developing a new workload to run against a shared cluster it is necessary to use the cluster bastion VM to run the workload on. There are two options:
-
Provision a workshop and use the workshop bastion VM
-
Use the Shared OpenTLC development cluster
While the following instructions outline the use of the shared OpenTLC development cluster they can also applied to your very own workshop bastion VM.
-
Request access for the Bastion provisioning catalog item by sending an e-mail to [email protected] asking to be added to the opentlc-access-bastion group.
-
Once access has been granted log into http://labs.opentlc.com
-
Open the catalog DevOps Shared Cluster Testing and select the catalog item DEV - OCP 4.4 Shared Bastion Access. Click Order.
-
Check the checkbox and click Submit.
-
When provisioning finished you will get an e-mail with your credentials. It will contain information like this:
Here is some important information about your environment: **************************************************************** IMPORTANT: You now have access to an OpenTLC Production Cluster. Be CAREFUL! **************************************************************** Openshift Web Console: https://console-openshift-console.apps.shared-dev4.dev4.openshift.opentlc.com Openshift API command line 'oc' client: https://api.shared-dev4.dev4.openshift.opentlc.com:6443 Bastion Hostname: bastion.dev4.openshift.opentlc.com User ID: wkulhane-redhat.com Password: 6QGeAOQ3CtCgLWtE **************************************************************** Set up for AgnosticD Workload Development 1. Add your public key to the bastion (you will be prompted for your password: 6QGeAOQ3CtCgLWtE ssh-copy-id -i ~/.ssh/wkulhane-redhat.com [email protected] 2. Log into OpenShift from the bastion (repeat every 24h): This sets up /home/wkulhane-redhat.com/.kube/config ssh -i ~/.ssh/wkulhane-redhat.com [email protected] oc login --insecure-skip-tls-verify -u wkulhane-redhat.com https://api.shared-dev4.dev4.openshift.opentlc.com:6443 Note: you will be prompted for your OpenTLC password.
When you requested bastion access via the catalog item the following happened:
-
A user <Your OpenTLC ID> got created on the bastion (bastion.dev4.openshift.opentlc.com).
-
The password for your user got generated - and printed above.
-
The user does not have sudo privileges.
-
Your <OpenTLC> user id got granted
cluster-admin
privileges.
In order to use the environment with AgnosticD you will need to set up your bastion User ID by
-
Adding your public SSH key to your user on the bastion
-
Logging into OpenShift from your bastion user using your OpenTLC user ID.
-
If you don’t have a SSH key pair yet generate one (do not specify a passphrase):
$ ssh-keygen -f ~/.ssh/<your opentlc id> # e.g. # $ ssh-keygen -f ~/.ssh/wkulhane-redhat.com
This will create two files:
~/.ssh/<your opentlc id>
(your private key) and~/.ssh/<your opentlc id>.pub
(your public key). -
Copy your public key to the bastion. You will be prompted for the password of your bastion user from the provisioning e-mail.
$ ssh-copy-id -i ~/.ssh/<Your OpenTLC ID> <Your OpenTLC ID>@bastion.dev4.openshift.opentlc.com # e.g. # $ ssh-copy-id -i ~/.ssh/wkulhane-redhat.com [email protected] /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: /Users/wkulhane/.ssh/wkulhane-redhat.com.pub /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys [email protected] password: Number of key(s) added: 1 Now try logging into the machine, with: ssh [email protected] and check to make sure that only the key(s) you wanted were added.
-
Log into the OpenShift Cluster via the Bastion VM using your bastion user and your OpenTLC user and password for OpenShift.
$ ssh -i ~/.ssh/<Your OpenTLC ID> <Your OpenTLC ID>@bastion.dev4.openshift.opentlc.com oc login --insecure-skip-tls-verify -u <Your OpenTLC ID> https://api.shared-dev4.dev4.openshift.opentlc.com:6443 # e.g. # $ ssh -i ~/.ssh/wkulhane-redhat.com [email protected] oc login --insecure-skip-tls-verify -u wkulhane-redhat.com https://api.shared-dev4.dev4.openshift.opentlc.com:6443 Authentication required for https://api.shared-dev4.dev4.openshift.opentlc.com:6443 (openshift) Username: wkulhane-redhat.com Password: <redacted> Login successful. You have access to 88 projects, the list has been suppressed. You can list all projects with 'oc projects' Using project "default". Welcome! See 'oc help' to get started.
WarningYou will need to repeat the OpenShift login step every 24h because your Login token expires every 24h.
-
You are ready to run workloads.
-
-
Clone AgnosticD into a directory of your choice.
-
Create a Shell Script,
wk4_deploy_workload
in the AgnosticdD root direcgtory with the following contents (if you use thewk4
prefix the.gitignore
is already set up so that your scripts will not be accidentally added to AgnosticD)#!/bin/bash # The name of your workload WORKLOAD="ocp4_workload_serverless" # Use a GUID that is specific for you. E.g first letter of your # first name, 3 letters of your last name GUID=WKUL # Create - or remove. Comment out the one that you need ACTION=create # ACTION=remove # Target host. Don't change TARGET_HOST="bastion.dev4.openshift.opentlc.com" # Cloud Provider. Don't change CLOUD_PROVIDER=ec2 # Ansible User. Should be Your OpenTLC ID - this is the user on the bastion ANSIBLE_USER=<Your OpenTLC ID> # E.g. ANSIBLE_USER=wkulhane-redhat.com # Associated private key file. ANSIBLE_USER_KEY_FILE="~/.ssh/<Your OpenTLC ID>" # E.g. ANSIBLE_USER_KEY_FILE=~/.ssh/wkulhane-redhat.com # Deploy the Workload ansible-playbook -i "${TARGET_HOST}", ./ansible/configs/ocp-workloads/ocp-workload.yml \ -e"ansible_ssh_private_key_file=${ANSIBLE_USER_KEY_FILE}" \ -e"ansible_user=${ANSIBLE_USER}" \ -e"ocp_username=${ANSIBLE_USER}" \ -e"ocp_workload=${WORKLOAD}" \ -e"silent=False" \ -e"guid=${GUID}" \ -e"ACTION=${ACTION}" \ -e"cloud_provider=${CLOUD_PROVIDER}" \ -e"target_host=${TARGET_HOST}" \ -e @./wk4_workloads.yaml
-
Make the file executable:
chmod +x ./wk4_deploy_workload
-
Create a second file,
wk4_workloads.yaml
that contains the variables for your workload. If you don not have any customization this file can be empty.Here is an example for the Serverless workload with Catalog Snapshot Images:
# --------------------------------------------------------- # OpenShift Serverless # --------------------------------------------------------- #ocp4_workload_serverless_channel: "4.5" ocp4_workload_serverless_install_eventing: true ocp4_workload_serverless_use_catalog_snapshot: true ocp4_workload_serverless_catalog_snapshot_image: quay.io/gpte-devops-automation/olm_snapshot_redhat_catalog ocp4_workload_serverless_catalog_snapshot_image_tag: "v4.5_2020_08_24" ocp4_workload_serverless_starting_csv: "serverless-operator.v1.8.0"
-
Now you can execute the script to run your workload on the bastion:
./wk4_deploy_workload
Warning
|
Do not forget to clean up after yourself - as in run the deploy workload script using the |
Tip
|
It is very important to follow these guidelines to be a good neighbor on the cluster. Remember this is a shared cluster - and if you destroy something we may need to redeploy the whole thing. |
-
Do not modify or update already deployed Operators
-
If at all possible install Operators namespaced
-
If you need a cluster wide operator installed make sure it’s not already there
-
If it is already installed do not change it
-
-
You are
cluster-admin
. Be extra careful. -
No running
oc
commands in workloads. Always use thek8s
Ansible modules. PRs that useoc
will be rejected.