Red Hat Advanced Cluster Management for Kubernetes Demonstration

About this demo

Exercises features including:

• ClusterDeployments

• ClusterPools

• ClusterSets

Deployment

Tip	YMMV In place of kustomize build foo | oc apply -f - you may use oc apply -k foo.

• Build a largish cluster

• Log in to it

Deploy ACM Hub

• Deploy ACM operator and MulticlusterHub resource.

$ oc apply -k hub
# first time will produce error like below, re-run until clean
# unable to recognize "STDIN": no matches for kind "MultiClusterHub" in version "operator.open-cluster-management.io/v1"
$ oc apply -k hub

Configure Credentials Secrets

• Update the values found in example secrets with your credentials.

$ find . -name secrets -o -name certs
./credentials/vsphere/secrets
./credentials/vsphere/certs
./credentials/pull-secret/secrets
./credentials/azure/secrets
./credentials/ssh-keys/secrets
./credentials/aws/secrets
./credentials/gcp/secrets
./credentials/ocm/secrets
./credentials/base/secrets
./credentials/base/certs
./kustomize/oauth/secrets

• Update vCenter password (.platform.vsphere.password) in vsphere example until https://bugzilla.redhat.com/show_bug.cgi?id=1996188 resolves

$ vi clusters/vsphere-demo/install-config.yaml

Create Credentials for Cloud Providers

• Create credential secrets in open-cluster-management namespace.

$ oc apply -k credentials/hub

The following secrets are created.

$ kustomize build credentials/hub | kfilt -k secret | grep ' name:'
  name: aws-creds
  name: azure-creds
  name: gcp-creds
  name: ocm-creds
  name: pull-secret
  name: ssh-private-key
  name: ssh-public-key
  name: vsphere-certs
  name: vsphere-creds

Deploy Clusters

• Deploy clusters to the desired clouds.

$ kustomize build clusters/aws-demo     | oc apply -f -
$ kustomize build clusters/az-demo      | oc apply -f -
$ kustomize build clusters/vsphere-demo | oc apply -f -

$ oc apply -k clusters/gcp-demo

namespace/demo-gcp-tofu-org created
secret/gcp-creds created
secret/install-config created
secret/pull-secret created
secret/ssh-private-key created
secret/ssh-public-key created
klusterletaddonconfig.agent.open-cluster-management.io/demo-gcp-tofu-org created
managedcluster.cluster.open-cluster-management.io/demo-gcp-tofu-org created
clusterdeployment.hive.openshift.io/demo-gcp-tofu-org created
machinepool.hive.openshift.io/gcp-demo-worker created

Deploy EKS Cluster

Use script bin/mkeks to deploy an EKS cluster.

Deploy ClusterPools

• Deploy clusterpools to the desired clouds.

$ kustomize build clusterpools/aws-pool   | oc apply -f -
$ kustomize build clusterpools/azure-pool | oc apply -f -

Deploy Policies

• Deploy example Open Cluster Management policies.

$ kustomize build apps/demo-acm-policies | oc apply -f -

Demonstration

View ClusterPools

$ oc get clusterpools aws-pool -n aws-pool
$ oc get clusterpools azure-pool -n azure-pool
$ oc get namespaces | grep pool

$ oc get namespaces -l hive.openshift.io/cluster-pool-name=aws-pool
$ oc get namespaces -l hive.openshift.io/cluster-pool-name=azure-pool

Access Clusters

$ oc get clusterdeployments -A
NAMESPACE          NAME               PLATFORM   REGION    CLUSTERTYPE   INSTALLED   INFRAID               VERSION   POWERSTATE    AGE
az-edge-cjl7n      az-edge-cjl7n      azure      westus2                 true        az-edge-cjl7n-hp5mw   4.8.4     Hibernating   45h
az-edge-t67sc      az-edge-t67sc      azure      westus2                 true        az-edge-t67sc-vdxcg   4.8.4     Hibernating   45h
demo-az-tofu-org   demo-az-tofu-org   azure      westus2                 true        demo-r4rhh            4.8.4     Hibernating   46h

$ ./bin/ext-kubeconfig demo-az-tofu-org
$ export KUBECONFIG=demo-az-tofu-org/auth/kubeconfig
$ oc describe console

Htpasswd Authentication

• Generate random passwords and feed to an htpasswd file containing the values found in kustomize/oauth/secrets/

$ cd kustomize/oauth
$ touch secrets/passwords/$USER
# for each username in secrets/passwords inject a random password
# and build an htpasswd file
$ make
$ cat secrets/passwords/$USER
$ cat secrets/htpasswd
$ cd ../..

• Configure htpasswd auth. This will create the htpasswd secret. You must modify the oauth/cluster resource by hand. See kustomize/oauth/patch-oauth.yaml

# log in to demo cluster
$ export KUBECONFIG=demo-az-tofu-org/auth/kubeconfig
# create htpasswd secret
$ kustomize build kustomize/oauth | oc apply -f -
# enable htpasswd authN
$ oc patch oauth/cluster --patch-file kustomize/oauth/patch-oauth.yaml --type=merge

Install Demo Materials

• Install compliance operator, and setup auto scanning

# do this twice:
$ oc apply -k 'https://github.com/redhat-cop/gitops-catalog/compliance-operator/aggregate/demo?ref=main'

Set policy-cis to enforcing

Deploy Sample Apps to EKS

kustomize build apps/eks-sample | kubectl apply -f -

Deploy to EKS:

• sample https://docs.aws.amazon.com/eks/latest/userguide/sample-deployment.html

• guestbook https://docs.aws.amazon.com/eks/latest/userguide/eks-guestbook.html

• k8s dashboard https://docs.aws.amazon.com/eks/latest/userguide/dashboard-tutorial.html

Cleanup

Destroy Clusters

$ kustomize build clusters/aws-demo | oc delete -f -
$ kustomize build clusters/az-demo  | oc delete -f -

$ kustomize build clusters/vsphere-demo | oc delete -f -

Destroy ClusterPools

$ kustomize build clusterpools/aws-pool | oc delete -f -
$ kustomize build clusterpools/azure-pool  | oc delete -f -

Status

Todo

• Less setup and more demo

Bugs

• "vSphere clusterdeployment requires credentials duplication in install-config.yaml" https://issues.redhat.com/browse/OCPBUGS-8955 (was https://bugzilla.redhat.com/show_bug.cgi?id=1996188)

Tips

• Unlike a ClusterDeployment, a ClusterPool does not directly enable the creation of a machinepool.