Skip to content

Commit

Permalink
Merge pull request #4 from KarmaComputing/6-ensure-openshift-compatib…
Browse files Browse the repository at this point in the history
…ility

#6 ensure openshift compatibility
  • Loading branch information
chrisjsimpson authored Oct 2, 2022
2 parents 6b6a8b6 + d15026a commit 5cfb924
Show file tree
Hide file tree
Showing 5 changed files with 237 additions and 196 deletions.
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -1 +1,2 @@
docs/venv
OBP-API
6 changes: 6 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,11 @@
# Kubernetes Build (local development)


## Target environments

- [Openshift](openshift)
- Kubernetes (see below)

For running locally, install https://microk8s.io/docs/.
Otherwise, use a kubernetes provider (Google Cloud, OpenShift etc)

Expand Down
122 changes: 66 additions & 56 deletions openshift/README.md
Original file line number Diff line number Diff line change
@@ -1,94 +1,104 @@
# Minishift set-up (rebranded minikube)
# Deploy OpenBankProject on Openshift

- Install minishift (https://docs.okd.io/latest/minishift/getting-started/index.html)

## Openshift hosted cluster

```
minishift start
```
- [How to login to openshift using the `oc` CLI](#login-to-openshift-using-oc-cli)
- [Deploy OBP-API to your OpenShift Cluster](#deploy-obp-api-to-your-openshift-cluster)
- [Deploy OBP API to your local development environment](#deploy-obp-api-to-your-local-development-environment)


### Login to Openshift using `oc` CLI

Objective: When you type "`oc get pods`" you get back some or no pods. If your cluster is new, you will see "`No resources found in <username> namespace`"
For that to work, configure your terminal to use `oc` CLI against your Openshift cluster. The UI it not intuitive at all so here's the instructions:

1. Login to your web cluster to get your authentication key (e.g. onsole-openshift-console.apps.sandbox-m2.abc123.p1.openshiftapps.com)
2. Click the '?' then "Command line tools", then "Copy login command"

> Verbose cli login details: To log in using the CLI, collect your token from the web console’s Command Line page, which is accessed from Command Line Tools in the Help menu. The token is hidden, so you must click the copy to clipboard button at the end of the oc login line on the Command Line Tools page, then paste the copied contents to show the token. [Official docs](https://docs.openshift.com/container-platform/3.11/cli_reference/get_started_cli.html#cli-reference-get-started-cli)
### Errors: random uuid

tldr:

1. Fix containers uuid handling using [this example](https://github.com/chrisjsimpson/obp-kubernetes/blob/openshiftcompatibility/entrypoint.sh#L1-L13).
2. See [fully working obp-api openshift container](index.docker.io/chrisjsimpson/obpapi-kube) example
3. Historical context see: [Building Non Root Docker Images OpenShift](https://blog.karmacomputing.co.uk/building-non-root-docker-images-openshift/), and [Openshift will not run your container as a root user](https://number1.co.za/openshift-will-not-run-your-container-as-a-root-user/)


Detail:

The current OBP-API docker images will not run on Openshift deployed custers. An example image which does is available at:
[dockerhub](index.docker.io/chrisjsimpson/obpapi-kube), and the [code reference which handles the random uid scenario in OpenShift clusters](https://github.com/chrisjsimpson/obp-kubernetes/blob/openshiftcompatibility/entrypoint.sh#L1-L13).


### View console
```
minishift console
```

### oc Env (rebranded kubectl)
```
eval $(minishift oc-env)
OBP openshift ATM Postgress curl (time sink: cluster registry permissions/access) undocumented use of generate-jetty-start.sh in unknown repo, perhaps refers to image: index.docker.io/tawoe/obp-api however the tags are undocumented (tag "hw" exists and is most recently modified but no information, "lastest" tag is 9 days go) Neither will run on a production Openshift cluster chrisjsimpson/obpapi-kube will.
********************************************************************
WARNING: User is 1012560000
The user should be (re)set to 'jetty' in the Dockerfile
********************************************************************
/generate-jetty-start.sh: 10: cannot create /var/lib/jetty/jetty.start: Permission denied
jetty dry run failed:
```

# Deploy OBP-API to your OpenShift Cluster

1. Ensure your secrets are configured as intended (see `obp.yaml`)
2. Apply the OBP manifest(s) to your k8s cluster

### Import the template
A quickstart valid OBP-API deployment manifest is provided:

Openshift `oc apply` command does **not** appear to automatically run your
manifest because `obpapi_openshift.yaml` is a template object.
After running this command you must use `oc new-app` to actually run the
template. This is confusing because with vanilla kubernetes kubectl would run
the manifest. An openshift template is similar (but not the same) as a Helm
cart if you're familiar with helm.
```
oc apply -f obpapi_openshift.yaml
oc apply -f obp.yaml
```
Now run the template as a new app:

Validate:

```
oc new-app obp-api-example # App name comes from the template name in yaml file.
oc get pods
```

Add a route for the service:
```

oc expose svc/obpapi-service
```
# Deploy OBP API to your local development environment

See if it works:
Tools required:

- `crc` ([Download & install crc](https://github.com/code-ready/crc/releases))

### Seed the sandbox: Deploy a bootstrap pod

We have a bootstrap node which creates an initial user for you automatically.
This user can then be promoted to a super admin, and used to import demo data.
Start `crc`

```
oc apply -f ../../obp-boostrap-user/bootstrap.yaml # Deploy bootstrap node
crc setup
crc start
```

Get boostrap.yaml, and edit the `env` file:

- username
- password
Enable podman:

The password policy is very strict. Install will fail if too weak.
> This sets-up podman to 'speak' to your local openshift cluster *rather* than your host machine.
```
wget https://raw.githubusercontent.com/chrisjsimpson/obp-kubernetes/master/bootstrap.yaml
eval $(crc podman-env)
```


> **Warning**
> If you see "error did not resolve to an alias and no unqualified-search registries are defined"
> Then edit `/etc/containers/registries.conf` and add/uncomment to your prefered registry e.g. `'unqualified-search-registries = ["docker.io"]` [ref: podman no longer searched dockerhub error](https://unix.stackexchange.com/questions/701784/podman-no-longer-searches-dockerhub-error-short-name-did-not-resolve-to-an))

### Clone OBP-API & build `obp-api` image


> **Warning**
> Work in progress. This clone url is subject to change to the [official repo](https://github.com/OpenBankProject/OBP-API.git)
-----------------Old------------------
### Docker env
```
eval $(minishift docker-env)
oc login # username developer, password password
docker login -u developer -p $(oc whoami -t) $(minishift openshift registry)
```

### Local Docker registry build and push
```
eval $(minishift oc-env)
eval $(minishift docker-env)
oc login
docker login -u developer -p $(oc whoami -t) $(minishift openshift registry)
docker built -t test .
docker tag test $(minishift openshift registry)/myproject/test
docker push $(minishift openshift registry)/myproject/test
# 'Deploy' as new app
oc new-app myproject/test
git clone https://github.com/KarmaComputing/OBP-API.git
cd OBP-API
```
**Note** The 'myproject' tag is needed for minishift docker push to work, otherwise you wil see `unauthorized: authentication required`.
164 changes: 164 additions & 0 deletions openshift/obp.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,164 @@
apiVersion: apps/v1
kind: Secret
apiVersion: v1
metadata:
name: postgres-credentials
type: Opaque
data:
# Don't commit real credentials, instead interpolate secrets
# during the CI/CD process as a minimum.
postgres_user: b2JwdXNlcg== #obpuser
postgres_password: b2JwcGFzc3dvcmQ= #obppassword
postgres_db_name: b2JwdXNlcg== #obpuser
postgres_data: L3Zhci9saWIvcG9zdGdyZXNxbC9kYXRhL3BnZGF0YQ== # /var/lib/postgresql/data/pgdata
jdbc_driver: b3JnLnBvc3RncmVzcWwuRHJpdmVy # org.postgresql.Driver
jdbc_url: amRiYzpwb3N0Z3Jlc3FsOi8vcG9zdGdyZXMtc2VydmljZTo1NDMyL29icHVzZXI/dXNlcj1vYnB1c2VyJnBhc3N3b3JkPW9icHBhc3N3b3Jk # jdbc:postgresql://postgres-service:5432/obpuser?user=obpuser&password=obppassword

---

apiVersion: v1
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: postgres-volume-claim
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
persistentVolumeReclaimPolicy: Retain
resources:
requests:
storage: 5Gi

---
apiVersion: v1
kind: Service
apiVersion: v1
metadata:
name: obpapi-service
spec:
selector:
app: obpapi
ports:
- name: http
protocol: TCP
port: 80
targetPort: 8080
type: LoadBalancer
---

apiVersion: apps/v1
kind: Deployment
metadata:
name: obp-deployment
labels:
app: obpapi
spec:
replicas: 1
selector:
matchLabels:
app: obpapi
template:
metadata:
labels:
app: obpapi
spec:
containers:
- name: obpapi
#image: openbankproject/obp-api # docker build -t obpapi-kube .
image: index.docker.io/chrisjsimpson/obpapi-kube
resources:
requests:
memory: "700Mi"
env:
- name: OBP_DB_DRIVER
valueFrom:
secretKeyRef:
name: postgres-credentials
key: jdbc_driver
- name: OBP_DB_URL
valueFrom:
secretKeyRef:
name: postgres-credentials
key: jdbc_url
- name: DB_DRIVER
valueFrom:
secretKeyRef:
name: postgres-credentials
key: jdbc_driver
- name: DB_URL
valueFrom:
secretKeyRef:
name: postgres-credentials
key: jdbc_url
ports:
- containerPort: 8080
name: http
---

apiVersion: v1
kind: Service
metadata:
name: postgres-service
spec:
selector:
app: postgres
ports:
- protocol: TCP
port: 5432
targetPort: 5432
---

apiVersion: apps/v1
kind: Deployment

metadata:
name: postgres
labels:
app: postgres
spec:
replicas: 1
selector:
matchLabels:
app: postgres
template:
metadata:
labels:
app: postgres
spec:
containers:
- name: postgres
image: centos/postgresql-10-centos7
resources:
requests:
memory: "200Mi"
env:
- name: POSTGRESQL_USER
valueFrom:
secretKeyRef:
name: postgres-credentials
key: postgres_user
- name: POSTGRESQL_PASSWORD
valueFrom:
secretKeyRef:
name: postgres-credentials
key: postgres_password
- name: POSTGRESQL_DATABASE
valueFrom:
secretKeyRef:
name: postgres-credentials
key: postgres_db_name
- name: PGDATA
valueFrom:
secretKeyRef:
name: postgres-credentials
key: postgres_data
volumeMounts:
- name: postgres-volume
mountPath: "/var/lib/postgresql/data"
ports:
- containerPort: 5432
volumes:
- name: postgres-volume
persistentVolumeClaim:
claimName: postgres-volume-claim
Loading

0 comments on commit 5cfb924

Please sign in to comment.