diff --git a/.gitignore b/.gitignore index 68d2a46..5058e91 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ docs/venv +OBP-API diff --git a/README.md b/README.md index 723912e..9b78090 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,11 @@ # Kubernetes Build (local development) + +## Target environments + +- [Openshift](openshift) +- Kubernetes (see below) + For running locally, install https://microk8s.io/docs/. Otherwise, use a kubernetes provider (Google Cloud, OpenShift etc) diff --git a/openshift/README.md b/openshift/README.md index f8bfae3..8f6d65c 100644 --- a/openshift/README.md +++ b/openshift/README.md @@ -1,94 +1,104 @@ -# Minishift set-up (rebranded minikube) +# Deploy OpenBankProject on Openshift -- Install minishift (https://docs.okd.io/latest/minishift/getting-started/index.html) +## Openshift hosted cluster -``` -minishift start -``` +- [How to login to openshift using the `oc` CLI](#login-to-openshift-using-oc-cli) +- [Deploy OBP-API to your OpenShift Cluster](#deploy-obp-api-to-your-openshift-cluster) +- [Deploy OBP API to your local development environment](#deploy-obp-api-to-your-local-development-environment) + + +### Login to Openshift using `oc` CLI + +Objective: When you type "`oc get pods`" you get back some or no pods. If your cluster is new, you will see "`No resources found in namespace`" +For that to work, configure your terminal to use `oc` CLI against your Openshift cluster. The UI it not intuitive at all so here's the instructions: + +1. Login to your web cluster to get your authentication key (e.g. onsole-openshift-console.apps.sandbox-m2.abc123.p1.openshiftapps.com) +2. Click the '?' then "Command line tools", then "Copy login command" + +> Verbose cli login details: To log in using the CLI, collect your token from the web console’s Command Line page, which is accessed from Command Line Tools in the Help menu. The token is hidden, so you must click the copy to clipboard button at the end of the oc login line on the Command Line Tools page, then paste the copied contents to show the token. [Official docs](https://docs.openshift.com/container-platform/3.11/cli_reference/get_started_cli.html#cli-reference-get-started-cli) + +### Errors: random uuid + +tldr: + +1. Fix containers uuid handling using [this example](https://github.com/chrisjsimpson/obp-kubernetes/blob/openshiftcompatibility/entrypoint.sh#L1-L13). +2. See [fully working obp-api openshift container](index.docker.io/chrisjsimpson/obpapi-kube) example +3. Historical context see: [Building Non Root Docker Images OpenShift](https://blog.karmacomputing.co.uk/building-non-root-docker-images-openshift/), and [Openshift will not run your container as a root user](https://number1.co.za/openshift-will-not-run-your-container-as-a-root-user/) + + +Detail: + +The current OBP-API docker images will not run on Openshift deployed custers. An example image which does is available at: +[dockerhub](index.docker.io/chrisjsimpson/obpapi-kube), and the [code reference which handles the random uid scenario in OpenShift clusters](https://github.com/chrisjsimpson/obp-kubernetes/blob/openshiftcompatibility/entrypoint.sh#L1-L13). -### View console -``` -minishift console -``` -### oc Env (rebranded kubectl) ``` -eval $(minishift oc-env) + OBP openshift ATM Postgress curl (time sink: cluster registry permissions/access) undocumented use of generate-jetty-start.sh in unknown repo, perhaps refers to image: index.docker.io/tawoe/obp-api however the tags are undocumented (tag "hw" exists and is most recently modified but no information, "lastest" tag is 9 days go) Neither will run on a production Openshift cluster chrisjsimpson/obpapi-kube will. + + +******************************************************************** +WARNING: User is 1012560000 + The user should be (re)set to 'jetty' in the Dockerfile +******************************************************************** +/generate-jetty-start.sh: 10: cannot create /var/lib/jetty/jetty.start: Permission denied +jetty dry run failed: ``` +# Deploy OBP-API to your OpenShift Cluster + +1. Ensure your secrets are configured as intended (see `obp.yaml`) +2. Apply the OBP manifest(s) to your k8s cluster -### Import the template +A quickstart valid OBP-API deployment manifest is provided: -Openshift `oc apply` command does **not** appear to automatically run your -manifest because `obpapi_openshift.yaml` is a template object. -After running this command you must use `oc new-app` to actually run the -template. This is confusing because with vanilla kubernetes kubectl would run -the manifest. An openshift template is similar (but not the same) as a Helm -cart if you're familiar with helm. ``` -oc apply -f obpapi_openshift.yaml +oc apply -f obp.yaml ``` -Now run the template as a new app: + +Validate: + ``` -oc new-app obp-api-example # App name comes from the template name in yaml file. +oc get pods ``` -Add a route for the service: -``` -oc expose svc/obpapi-service -``` +# Deploy OBP API to your local development environment -See if it works: +Tools required: +- `crc` ([Download & install crc](https://github.com/code-ready/crc/releases)) -### Seed the sandbox: Deploy a bootstrap pod -We have a bootstrap node which creates an initial user for you automatically. -This user can then be promoted to a super admin, and used to import demo data. +Start `crc` ``` -oc apply -f ../../obp-boostrap-user/bootstrap.yaml # Deploy bootstrap node +crc setup +crc start ``` -Get boostrap.yaml, and edit the `env` file: - -- username -- password +Enable podman: -The password policy is very strict. Install will fail if too weak. +> This sets-up podman to 'speak' to your local openshift cluster *rather* than your host machine. ``` -wget https://raw.githubusercontent.com/chrisjsimpson/obp-kubernetes/master/bootstrap.yaml +eval $(crc podman-env) ``` +> **Warning** +> If you see "error did not resolve to an alias and no unqualified-search registries are defined" +> Then edit `/etc/containers/registries.conf` and add/uncomment to your prefered registry e.g. `'unqualified-search-registries = ["docker.io"]` [ref: podman no longer searched dockerhub error](https://unix.stackexchange.com/questions/701784/podman-no-longer-searches-dockerhub-error-short-name-did-not-resolve-to-an)) +### Clone OBP-API & build `obp-api` image +> **Warning** +> Work in progress. This clone url is subject to change to the [official repo](https://github.com/OpenBankProject/OBP-API.git) ------------------Old------------------ -### Docker env -``` -eval $(minishift docker-env) -oc login # username developer, password password -docker login -u developer -p $(oc whoami -t) $(minishift openshift registry) -``` - -### Local Docker registry build and push ``` -eval $(minishift oc-env) -eval $(minishift docker-env) -oc login -docker login -u developer -p $(oc whoami -t) $(minishift openshift registry) -docker built -t test . -docker tag test $(minishift openshift registry)/myproject/test -docker push $(minishift openshift registry)/myproject/test - -# 'Deploy' as new app -oc new-app myproject/test +git clone https://github.com/KarmaComputing/OBP-API.git +cd OBP-API ``` -**Note** The 'myproject' tag is needed for minishift docker push to work, otherwise you wil see `unauthorized: authentication required`. diff --git a/openshift/obp.yaml b/openshift/obp.yaml new file mode 100644 index 0000000..1ab8732 --- /dev/null +++ b/openshift/obp.yaml @@ -0,0 +1,164 @@ +apiVersion: apps/v1 +kind: Secret +apiVersion: v1 +metadata: + name: postgres-credentials +type: Opaque +data: + # Don't commit real credentials, instead interpolate secrets + # during the CI/CD process as a minimum. + postgres_user: b2JwdXNlcg== #obpuser + postgres_password: b2JwcGFzc3dvcmQ= #obppassword + postgres_db_name: b2JwdXNlcg== #obpuser + postgres_data: L3Zhci9saWIvcG9zdGdyZXNxbC9kYXRhL3BnZGF0YQ== # /var/lib/postgresql/data/pgdata + jdbc_driver: b3JnLnBvc3RncmVzcWwuRHJpdmVy # org.postgresql.Driver + jdbc_url: amRiYzpwb3N0Z3Jlc3FsOi8vcG9zdGdyZXMtc2VydmljZTo1NDMyL29icHVzZXI/dXNlcj1vYnB1c2VyJnBhc3N3b3JkPW9icHBhc3N3b3Jk # jdbc:postgresql://postgres-service:5432/obpuser?user=obpuser&password=obppassword + +--- + +apiVersion: v1 +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: postgres-volume-claim +spec: + accessModes: + - ReadWriteOnce + volumeMode: Filesystem + persistentVolumeReclaimPolicy: Retain + resources: + requests: + storage: 5Gi + +--- +apiVersion: v1 +kind: Service +apiVersion: v1 +metadata: + name: obpapi-service +spec: + selector: + app: obpapi + ports: + - name: http + protocol: TCP + port: 80 + targetPort: 8080 + type: LoadBalancer +--- + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: obp-deployment + labels: + app: obpapi +spec: + replicas: 1 + selector: + matchLabels: + app: obpapi + template: + metadata: + labels: + app: obpapi + spec: + containers: + - name: obpapi + #image: openbankproject/obp-api # docker build -t obpapi-kube . + image: index.docker.io/chrisjsimpson/obpapi-kube + resources: + requests: + memory: "700Mi" + env: + - name: OBP_DB_DRIVER + valueFrom: + secretKeyRef: + name: postgres-credentials + key: jdbc_driver + - name: OBP_DB_URL + valueFrom: + secretKeyRef: + name: postgres-credentials + key: jdbc_url + - name: DB_DRIVER + valueFrom: + secretKeyRef: + name: postgres-credentials + key: jdbc_driver + - name: DB_URL + valueFrom: + secretKeyRef: + name: postgres-credentials + key: jdbc_url + ports: + - containerPort: 8080 + name: http +--- + +apiVersion: v1 +kind: Service +metadata: + name: postgres-service +spec: + selector: + app: postgres + ports: + - protocol: TCP + port: 5432 + targetPort: 5432 +--- + +apiVersion: apps/v1 +kind: Deployment + +metadata: + name: postgres + labels: + app: postgres +spec: + replicas: 1 + selector: + matchLabels: + app: postgres + template: + metadata: + labels: + app: postgres + spec: + containers: + - name: postgres + image: centos/postgresql-10-centos7 + resources: + requests: + memory: "200Mi" + env: + - name: POSTGRESQL_USER + valueFrom: + secretKeyRef: + name: postgres-credentials + key: postgres_user + - name: POSTGRESQL_PASSWORD + valueFrom: + secretKeyRef: + name: postgres-credentials + key: postgres_password + - name: POSTGRESQL_DATABASE + valueFrom: + secretKeyRef: + name: postgres-credentials + key: postgres_db_name + - name: PGDATA + valueFrom: + secretKeyRef: + name: postgres-credentials + key: postgres_data + volumeMounts: + - name: postgres-volume + mountPath: "/var/lib/postgresql/data" + ports: + - containerPort: 5432 + volumes: + - name: postgres-volume + persistentVolumeClaim: + claimName: postgres-volume-claim diff --git a/openshift/obpapi_openshift.yaml b/openshift/obpapi_openshift.yaml deleted file mode 100644 index d6b61f4..0000000 --- a/openshift/obpapi_openshift.yaml +++ /dev/null @@ -1,140 +0,0 @@ -kind: "Template" -apiVersion: v1 -metadata: - name: "obp-api-example" -objects: - - kind: Secret - apiVersion: v1 - metadata: - name: postgres-credentials - type: Opaque - data: - postgres_user: b2JwdXNlcg== #obpuser - postgres_password: b2JwcGFzc3dvcmQ= #obppassword - postgres_db_name: b2JwdXNlcg== #obpuser - postgres_data: L3Zhci9saWIvcG9zdGdyZXNxbC9kYXRhL3BnZGF0YQ== # /var/lib/postgresql/data/pgdata - jdbc_driver: b3JnLnBvc3RncmVzcWwuRHJpdmVy # org.postgresql.Driver - jdbc_url: amRiYzpwb3N0Z3Jlc3FsOi8vcG9zdGdyZXMtc2VydmljZTo1NDMyL29icHVzZXI/dXNlcj1vYnB1c2VyJnBhc3N3b3JkPW9icHBhc3N3b3Jk # jdbc:postgresql://postgres-service:5432/obpuser?user=obpuser&password=obppassword - - kind: PersistentVolumeClaim - apiVersion: v1 - metadata: - name: postgres-volume-claim - spec: - accessModes: - - ReadWriteOnce - volumeMode: Filesystem - resources: - requests: - storage: 5Gi - - kind: Service - apiVersion: v1 - metadata: - name: obpapi-service - spec: - selector: - app: obpapi - ports: - - name: http - protocol: TCP - port: 80 - targetPort: 8080 - type: LoadBalancer - - kind: Deployment - apiVersion: apps/v1 - metadata: - name: obp-deployment - labels: - app: obpapi - spec: - replicas: 1 - selector: - matchLabels: - app: obpapi - template: - metadata: - labels: - app: obpapi - spec: - containers: - - name: obpapi - image: openbankproject/obp-api # docker build -t obpapi-kube . - resources: - requests: - memory: "1200Mi" - env: - - name: OBP_DB_DRIVER - valueFrom: - secretKeyRef: - name: postgres-credentials - key: jdbc_driver - - name: OBP_DB_URL - valueFrom: - secretKeyRef: - name: postgres-credentials - key: jdbc_url - ports: - - containerPort: 8080 - name: http - - kind: Service - apiVersion: v1 - metadata: - name: postgres-service - spec: - selector: - app: postgres - ports: - - protocol: TCP - port: 5432 - targetPort: 5432 - - kind: Deployment - apiVersion: apps/v1 - metadata: - name: postgres - labels: - app: postgres - spec: - replicas: 1 - selector: - matchLabels: - app: postgres - template: - metadata: - labels: - app: postgres - spec: - containers: - - name: postgres - image: centos/postgresql-10-centos7 - resources: - requests: - memory: "200Mi" - env: - - name: POSTGRESQL_USER - valueFrom: - secretKeyRef: - name: postgres-credentials - key: postgres_user - - name: POSTGRESQL_PASSWORD - valueFrom: - secretKeyRef: - name: postgres-credentials - key: postgres_password - - name: POSTGRESQL_DATABASE - valueFrom: - secretKeyRef: - name: postgres-credentials - key: postgres_db_name - - name: PGDATA - valueFrom: - secretKeyRef: - name: postgres-credentials - key: postgres_data - volumeMounts: - - name: postgres-volume - mountPath: "/var/lib/postgresql/data" - ports: - - containerPort: 5432 - volumes: - - name: postgres-volume - persistentVolumeClaim: - claimName: postgres-volume-claim