forked from OpenBankProject/OBP-Kubernetes
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #4 from KarmaComputing/6-ensure-openshift-compatib…
…ility #6 ensure openshift compatibility
- Loading branch information
Showing
5 changed files
with
237 additions
and
196 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1,2 @@ | ||
docs/venv | ||
OBP-API |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,94 +1,104 @@ | ||
# Minishift set-up (rebranded minikube) | ||
# Deploy OpenBankProject on Openshift | ||
|
||
- Install minishift (https://docs.okd.io/latest/minishift/getting-started/index.html) | ||
|
||
## Openshift hosted cluster | ||
|
||
``` | ||
minishift start | ||
``` | ||
- [How to login to openshift using the `oc` CLI](#login-to-openshift-using-oc-cli) | ||
- [Deploy OBP-API to your OpenShift Cluster](#deploy-obp-api-to-your-openshift-cluster) | ||
- [Deploy OBP API to your local development environment](#deploy-obp-api-to-your-local-development-environment) | ||
|
||
|
||
### Login to Openshift using `oc` CLI | ||
|
||
Objective: When you type "`oc get pods`" you get back some or no pods. If your cluster is new, you will see "`No resources found in <username> namespace`" | ||
For that to work, configure your terminal to use `oc` CLI against your Openshift cluster. The UI it not intuitive at all so here's the instructions: | ||
|
||
1. Login to your web cluster to get your authentication key (e.g. onsole-openshift-console.apps.sandbox-m2.abc123.p1.openshiftapps.com) | ||
2. Click the '?' then "Command line tools", then "Copy login command" | ||
|
||
> Verbose cli login details: To log in using the CLI, collect your token from the web console’s Command Line page, which is accessed from Command Line Tools in the Help menu. The token is hidden, so you must click the copy to clipboard button at the end of the oc login line on the Command Line Tools page, then paste the copied contents to show the token. [Official docs](https://docs.openshift.com/container-platform/3.11/cli_reference/get_started_cli.html#cli-reference-get-started-cli) | ||
### Errors: random uuid | ||
|
||
tldr: | ||
|
||
1. Fix containers uuid handling using [this example](https://github.com/chrisjsimpson/obp-kubernetes/blob/openshiftcompatibility/entrypoint.sh#L1-L13). | ||
2. See [fully working obp-api openshift container](index.docker.io/chrisjsimpson/obpapi-kube) example | ||
3. Historical context see: [Building Non Root Docker Images OpenShift](https://blog.karmacomputing.co.uk/building-non-root-docker-images-openshift/), and [Openshift will not run your container as a root user](https://number1.co.za/openshift-will-not-run-your-container-as-a-root-user/) | ||
|
||
|
||
Detail: | ||
|
||
The current OBP-API docker images will not run on Openshift deployed custers. An example image which does is available at: | ||
[dockerhub](index.docker.io/chrisjsimpson/obpapi-kube), and the [code reference which handles the random uid scenario in OpenShift clusters](https://github.com/chrisjsimpson/obp-kubernetes/blob/openshiftcompatibility/entrypoint.sh#L1-L13). | ||
|
||
|
||
### View console | ||
``` | ||
minishift console | ||
``` | ||
|
||
### oc Env (rebranded kubectl) | ||
``` | ||
eval $(minishift oc-env) | ||
OBP openshift ATM Postgress curl (time sink: cluster registry permissions/access) undocumented use of generate-jetty-start.sh in unknown repo, perhaps refers to image: index.docker.io/tawoe/obp-api however the tags are undocumented (tag "hw" exists and is most recently modified but no information, "lastest" tag is 9 days go) Neither will run on a production Openshift cluster chrisjsimpson/obpapi-kube will. | ||
******************************************************************** | ||
WARNING: User is 1012560000 | ||
The user should be (re)set to 'jetty' in the Dockerfile | ||
******************************************************************** | ||
/generate-jetty-start.sh: 10: cannot create /var/lib/jetty/jetty.start: Permission denied | ||
jetty dry run failed: | ||
``` | ||
|
||
# Deploy OBP-API to your OpenShift Cluster | ||
|
||
1. Ensure your secrets are configured as intended (see `obp.yaml`) | ||
2. Apply the OBP manifest(s) to your k8s cluster | ||
|
||
### Import the template | ||
A quickstart valid OBP-API deployment manifest is provided: | ||
|
||
Openshift `oc apply` command does **not** appear to automatically run your | ||
manifest because `obpapi_openshift.yaml` is a template object. | ||
After running this command you must use `oc new-app` to actually run the | ||
template. This is confusing because with vanilla kubernetes kubectl would run | ||
the manifest. An openshift template is similar (but not the same) as a Helm | ||
cart if you're familiar with helm. | ||
``` | ||
oc apply -f obpapi_openshift.yaml | ||
oc apply -f obp.yaml | ||
``` | ||
Now run the template as a new app: | ||
|
||
Validate: | ||
|
||
``` | ||
oc new-app obp-api-example # App name comes from the template name in yaml file. | ||
oc get pods | ||
``` | ||
|
||
Add a route for the service: | ||
``` | ||
|
||
oc expose svc/obpapi-service | ||
``` | ||
# Deploy OBP API to your local development environment | ||
|
||
See if it works: | ||
Tools required: | ||
|
||
- `crc` ([Download & install crc](https://github.com/code-ready/crc/releases)) | ||
|
||
### Seed the sandbox: Deploy a bootstrap pod | ||
|
||
We have a bootstrap node which creates an initial user for you automatically. | ||
This user can then be promoted to a super admin, and used to import demo data. | ||
Start `crc` | ||
|
||
``` | ||
oc apply -f ../../obp-boostrap-user/bootstrap.yaml # Deploy bootstrap node | ||
crc setup | ||
crc start | ||
``` | ||
|
||
Get boostrap.yaml, and edit the `env` file: | ||
|
||
- username | ||
- password | ||
Enable podman: | ||
|
||
The password policy is very strict. Install will fail if too weak. | ||
> This sets-up podman to 'speak' to your local openshift cluster *rather* than your host machine. | ||
``` | ||
wget https://raw.githubusercontent.com/chrisjsimpson/obp-kubernetes/master/bootstrap.yaml | ||
eval $(crc podman-env) | ||
``` | ||
|
||
|
||
> **Warning** | ||
> If you see "error did not resolve to an alias and no unqualified-search registries are defined" | ||
> Then edit `/etc/containers/registries.conf` and add/uncomment to your prefered registry e.g. `'unqualified-search-registries = ["docker.io"]` [ref: podman no longer searched dockerhub error](https://unix.stackexchange.com/questions/701784/podman-no-longer-searches-dockerhub-error-short-name-did-not-resolve-to-an)) | ||
|
||
### Clone OBP-API & build `obp-api` image | ||
|
||
|
||
> **Warning** | ||
> Work in progress. This clone url is subject to change to the [official repo](https://github.com/OpenBankProject/OBP-API.git) | ||
-----------------Old------------------ | ||
### Docker env | ||
``` | ||
eval $(minishift docker-env) | ||
oc login # username developer, password password | ||
docker login -u developer -p $(oc whoami -t) $(minishift openshift registry) | ||
``` | ||
|
||
### Local Docker registry build and push | ||
``` | ||
eval $(minishift oc-env) | ||
eval $(minishift docker-env) | ||
oc login | ||
docker login -u developer -p $(oc whoami -t) $(minishift openshift registry) | ||
docker built -t test . | ||
docker tag test $(minishift openshift registry)/myproject/test | ||
docker push $(minishift openshift registry)/myproject/test | ||
# 'Deploy' as new app | ||
oc new-app myproject/test | ||
git clone https://github.com/KarmaComputing/OBP-API.git | ||
cd OBP-API | ||
``` | ||
**Note** The 'myproject' tag is needed for minishift docker push to work, otherwise you wil see `unauthorized: authentication required`. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,164 @@ | ||
apiVersion: apps/v1 | ||
kind: Secret | ||
apiVersion: v1 | ||
metadata: | ||
name: postgres-credentials | ||
type: Opaque | ||
data: | ||
# Don't commit real credentials, instead interpolate secrets | ||
# during the CI/CD process as a minimum. | ||
postgres_user: b2JwdXNlcg== #obpuser | ||
postgres_password: b2JwcGFzc3dvcmQ= #obppassword | ||
postgres_db_name: b2JwdXNlcg== #obpuser | ||
postgres_data: L3Zhci9saWIvcG9zdGdyZXNxbC9kYXRhL3BnZGF0YQ== # /var/lib/postgresql/data/pgdata | ||
jdbc_driver: b3JnLnBvc3RncmVzcWwuRHJpdmVy # org.postgresql.Driver | ||
jdbc_url: amRiYzpwb3N0Z3Jlc3FsOi8vcG9zdGdyZXMtc2VydmljZTo1NDMyL29icHVzZXI/dXNlcj1vYnB1c2VyJnBhc3N3b3JkPW9icHBhc3N3b3Jk # jdbc:postgresql://postgres-service:5432/obpuser?user=obpuser&password=obppassword | ||
|
||
--- | ||
|
||
apiVersion: v1 | ||
kind: PersistentVolumeClaim | ||
apiVersion: v1 | ||
metadata: | ||
name: postgres-volume-claim | ||
spec: | ||
accessModes: | ||
- ReadWriteOnce | ||
volumeMode: Filesystem | ||
persistentVolumeReclaimPolicy: Retain | ||
resources: | ||
requests: | ||
storage: 5Gi | ||
|
||
--- | ||
apiVersion: v1 | ||
kind: Service | ||
apiVersion: v1 | ||
metadata: | ||
name: obpapi-service | ||
spec: | ||
selector: | ||
app: obpapi | ||
ports: | ||
- name: http | ||
protocol: TCP | ||
port: 80 | ||
targetPort: 8080 | ||
type: LoadBalancer | ||
--- | ||
|
||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
name: obp-deployment | ||
labels: | ||
app: obpapi | ||
spec: | ||
replicas: 1 | ||
selector: | ||
matchLabels: | ||
app: obpapi | ||
template: | ||
metadata: | ||
labels: | ||
app: obpapi | ||
spec: | ||
containers: | ||
- name: obpapi | ||
#image: openbankproject/obp-api # docker build -t obpapi-kube . | ||
image: index.docker.io/chrisjsimpson/obpapi-kube | ||
resources: | ||
requests: | ||
memory: "700Mi" | ||
env: | ||
- name: OBP_DB_DRIVER | ||
valueFrom: | ||
secretKeyRef: | ||
name: postgres-credentials | ||
key: jdbc_driver | ||
- name: OBP_DB_URL | ||
valueFrom: | ||
secretKeyRef: | ||
name: postgres-credentials | ||
key: jdbc_url | ||
- name: DB_DRIVER | ||
valueFrom: | ||
secretKeyRef: | ||
name: postgres-credentials | ||
key: jdbc_driver | ||
- name: DB_URL | ||
valueFrom: | ||
secretKeyRef: | ||
name: postgres-credentials | ||
key: jdbc_url | ||
ports: | ||
- containerPort: 8080 | ||
name: http | ||
--- | ||
|
||
apiVersion: v1 | ||
kind: Service | ||
metadata: | ||
name: postgres-service | ||
spec: | ||
selector: | ||
app: postgres | ||
ports: | ||
- protocol: TCP | ||
port: 5432 | ||
targetPort: 5432 | ||
--- | ||
|
||
apiVersion: apps/v1 | ||
kind: Deployment | ||
|
||
metadata: | ||
name: postgres | ||
labels: | ||
app: postgres | ||
spec: | ||
replicas: 1 | ||
selector: | ||
matchLabels: | ||
app: postgres | ||
template: | ||
metadata: | ||
labels: | ||
app: postgres | ||
spec: | ||
containers: | ||
- name: postgres | ||
image: centos/postgresql-10-centos7 | ||
resources: | ||
requests: | ||
memory: "200Mi" | ||
env: | ||
- name: POSTGRESQL_USER | ||
valueFrom: | ||
secretKeyRef: | ||
name: postgres-credentials | ||
key: postgres_user | ||
- name: POSTGRESQL_PASSWORD | ||
valueFrom: | ||
secretKeyRef: | ||
name: postgres-credentials | ||
key: postgres_password | ||
- name: POSTGRESQL_DATABASE | ||
valueFrom: | ||
secretKeyRef: | ||
name: postgres-credentials | ||
key: postgres_db_name | ||
- name: PGDATA | ||
valueFrom: | ||
secretKeyRef: | ||
name: postgres-credentials | ||
key: postgres_data | ||
volumeMounts: | ||
- name: postgres-volume | ||
mountPath: "/var/lib/postgresql/data" | ||
ports: | ||
- containerPort: 5432 | ||
volumes: | ||
- name: postgres-volume | ||
persistentVolumeClaim: | ||
claimName: postgres-volume-claim |
Oops, something went wrong.