diff --git a/content/patterns/travelops-ossm/_index.adoc b/content/patterns/travelops-ossm/_index.adoc new file mode 100644 index 000000000..c665b6f7c --- /dev/null +++ b/content/patterns/travelops-ossm/_index.adoc @@ -0,0 +1,34 @@ +--- +title: TravelOps +date: 2024-02-09 +tier: sandbox +summary: This pattern enables you to secure your applications using Red Hat Service Mesh. +rh_products: +- Red Hat OpenShift Container Platform +- Red Hat Service Mesh +- Red Hat Kiali +- Red Hat Jaeger Distributed Tracing +- Red Hat ElasticSearch +industries: +- General +aliases: /travelops/ +links: + install: getting-started + help: https://groups.google.com/g/validatedpatterns + bugs: https://github.com/validatedpatterns-sandbox/travelops/issues +ci: travelops +--- +:toc: +:imagesdir: /images +:_content-type: ASSEMBLY +include::modules/comm-attributes.adoc[] + +include::modules/trvlops-about.adoc[leveloffset=+1] + +include::modules/trvlops-architecture.adoc[leveloffset=+1] + +[id="next-steps_trvlops-index"] +== Next steps + +* link:getting-started[Deploy the Pattern] using Helm. + diff --git a/content/patterns/travelops-ossm/demo-script.adoc b/content/patterns/travelops-ossm/demo-script.adoc new file mode 100644 index 000000000..98aafc505 --- /dev/null +++ b/content/patterns/travelops-ossm/demo-script.adoc @@ -0,0 +1,12 @@ +--- +title: Demo Script +weight: 60 +aliases: /travelops/demo/ +--- + +:toc: +:imagesdir: /images +:_content-type: REFERENCE +include::modules/comm-attributes.adoc[] + +include::modules/trvlops-demo.adoc[leveloffset=+1] diff --git a/content/patterns/travelops-ossm/getting-started.adoc b/content/patterns/travelops-ossm/getting-started.adoc new file mode 100644 index 000000000..9f4774f25 --- /dev/null +++ b/content/patterns/travelops-ossm/getting-started.adoc @@ -0,0 +1,19 @@ +--- +title: Getting Started +weight: 10 +aliases: /travelops/getting-started/ +--- + +:toc: +:imagesdir: /images +:_content-type: ASSEMBLY +include::modules/comm-attributes.adoc[] + +include::modules/trvlops-deploying.adoc[leveloffset=1] + +[id="next-steps_getting-started"] +== Next Steps + +To run through the demo, refer to link:..//demo-script[Monitor the Mesh] + +Like what you see, but can't quite put your finger on how you could use a Service Mesh? Check out link:../ideas-for-customization[Ways to customize the Mesh] for some ideas! diff --git a/content/patterns/travelops-ossm/ideas-for-customization.adoc b/content/patterns/travelops-ossm/ideas-for-customization.adoc new file mode 100644 index 000000000..a66ce6171 --- /dev/null +++ b/content/patterns/travelops-ossm/ideas-for-customization.adoc @@ -0,0 +1,13 @@ +--- +title: Ideas for customization +weight: 50 +aliases: /travelops/ideas-for-customization/ +--- + +:toc: +:imagesdir: /images +:_content-type: ASSEMBLY +include::modules/comm-attributes.adoc[] + +//header information comes from the module +include::modules/trvlops-about-customizing-pattern.adoc[leveloffset=+1] diff --git a/modules/comm-attributes.adoc b/modules/comm-attributes.adoc index 24afc6e41..7604db017 100644 --- a/modules/comm-attributes.adoc +++ b/modules/comm-attributes.adoc @@ -33,6 +33,8 @@ :med: medical diagnosis :multi-devsec-pattern: Multi-cluster DevSecOps pattern :multi-devsec: multi-cluster DevSecOps +:trvlops-pattern: TravelOps pattern +:trvlops: TravelOps pattern // Associated products :hashicorp-vault: HashiCorp Vault :hashicorp-vault-short: Vault @@ -152,5 +154,10 @@ // Red Hat OpenShift AI :rh-oai: Red{nbsp}Hat OpenShift Data Science :oai: OpenShift Data Science +// Red Hat Service Mesh +:rh-sm: Red{nbsp}Hat Service Mesh +:rh-kiali: Kiali +:rh-jaeger: Jaeger Distributed Tracing +:rh-elastic: ElasticSearch // Icons :grid: grid.png diff --git a/modules/trvlops-about-customizing-pattern.adoc b/modules/trvlops-about-customizing-pattern.adoc new file mode 100644 index 000000000..1c5e727b3 --- /dev/null +++ b/modules/trvlops-about-customizing-pattern.adoc @@ -0,0 +1,19 @@ +:_content-type: CONCEPT +:imagesdir: ../../images + +[id="about-customizing-pattern-trvlops"] += About customizing the pattern {trvlops-pattern} + +One of the major goals of the Validated Patterns development process is to create modular, customizable demos. The {trvlops-pattern} is just an example of a pattern that can deploy a Service Mesh and add applications to it using GitOps. When reading these customization ideas really think of them in the context of starting with this pattern and extending it to meet your organizations needs. + +* oAuth Configuration +** Create an oAuth provider (HTPasswd, GitHub, MicroSoft) +** Create RBAC (roles, rolebindings) and assign to users + +* External prometheus installation + +* Integrate `openshift-pipelines` into the pattern for a full `ci/cd` experience + +* Integrate with Keycloak for AuthN / AuthZ + +* Integrate with a real certificate authority like Let's Encrypt diff --git a/modules/trvlops-about.adoc b/modules/trvlops-about.adoc new file mode 100644 index 000000000..78b18aac6 --- /dev/null +++ b/modules/trvlops-about.adoc @@ -0,0 +1,67 @@ +:_content-type: CONCEPT +:imagesdir: ../../images + +[id="about-travelops-pattern"] += About the travelops pattern + +Use case:: + +* Use a GitOps approach to manage hybrid and multi-cloud deployments across both public and private clouds. +* Enable cross-cluster governance and application lifecycle management. +* Securely manage secrets across the deployment. ++ +[NOTE] +==== +Based on the requirements of a specific implementation, certain details might differ. However, all validated patterns that are based on a portfolio architecture, generalize one or more successful deployments of a use case. +==== + +Background:: + +The {trvlops-pattern} deployed using OpenShift GitOps and is comprised of Red Hat Service Mesh (RHSM), Kiali for the Service Mesh console, Jaeger for distributed tracing, and elasticsearch for logging and analytics. The application deployed is from the Kiali traveldemo tutorial. This pattern isn't as much about the demo as it is about the capabilities that are enabled with a few simple configurations. Service Mesh's are being incorporated across multiple platforms to provide secure communications between services. + +//In this pattern we implement Mutual TLS (mTLS) which is completed per namespace. To enable a namespace in the mesh you must add the namespace to the list under `serviceMeshMemberNamespaces` in `values-travelops.yaml`. This will create a Service Mesh Member (SMM) resource, which tells the Service Mesh that resources in the namespace are authorized in the mesh. + +Organizations are aiming to develop, deploy, and operate applications on an open hybrid cloud in a stable, simple, and secure way. This hybrid strategy includes multi-cloud deployments where workloads might be running on multiple clusters and on multiple clouds, private or public. +This strategy requires an infrastructure-as-code approach: GitOps. GitOps uses Git repositories as a single source of truth to deliver infrastructure-as-code. Submitted code will be checked by the continuous integration (CI) process, while the continuous delivery (CD) process checks and applies requirements for things like security, infrastructure-as-code, or any other boundaries set for the application framework. All changes to code are tracked, making updates easy while also providing version control should a rollback be needed. + +[id="about-solution"] +== About the solution + +This architecture covers a single cluster for all DevOps and GitOps functionality. However, one could extend this architecture to meet hybrid or multicloud demand using a GitOps approach + +Benefits of Hybrid Multicloud management with GitOps: + +* Unify management across cloud environments. +* Dynamic infrastructure security. +* Infrastructural continuous delivery best practices. + +In the following figure, logically, this solution can be viewed as being composed of an automation component, unified management including secrets management, and the clusters under management, all running on top of a user-chosen mixture of on-premise data centers and public clouds. + +.Logical diagram of hybrid multi-cloud management with GitOps +image::multicloud-gitops/logical-diagram.png[Logical Architecture] + +[id="about-technology"] +== About the technology + +The following technologies are used in this solution: + + +https://www.redhat.com/en/technologies/cloud-computing/openshift/try-it[Red Hat OpenShift Platform]:: +An enterprise-ready Kubernetes container platform built for an open hybrid cloud strategy. It provides a consistent application platform to manage hybrid cloud, public cloud, and edge deployments. It delivers a complete application platform for both traditional and cloud-native applications, allowing them to run anywhere. OpenShift has a pre-configured, pre-installed, and self-updating monitoring stack that provides monitoring for core platform components. It also enables the use of external secret management systems, for example, HashiCorp Vault in this case, to securely add secrets into the OpenShift platform. + +https://www.redhat.com/en/technologies/cloud-computing/openshift/try-it[Red Hat OpenShift GitOps]:: +A declarative application continuous delivery tool for Kubernetes based on the ArgoCD project. Application definitions, configurations, and environments are declarative and version controlled in Git. It can automatically push the desired application state into a cluster, quickly find out if the application state is in sync with the desired state, and manage applications in multi-cluster environments. + +https://www.redhat.com/en/technologies/management/advanced-cluster-management[Red Hat Advanced Cluster Management for Kubernetes]:: +Controls clusters and applications from a single console, with built-in security policies. Extends the value of Red Hat OpenShift by deploying apps, managing multiple clusters, and enforcing policies across multiple clusters at scale. + +https://www.redhat.com/en/technologies/cloud-computing/openshift/what-is-openshift-service-mesh[Red Hat Service Mesh]:: +Red Hat® OpenShift Service Mesh provides a uniform way to connect, manage, and observe microservices-based applications. + +https://www.redhat.com/en/technologies/management/ansible[Red Hat Ansible Automation Platform]:: +Provides an enterprise framework for building and operating IT automation at scale across hybrid clouds including edge deployments. It enables users across an organization to create, share, and manage automation, from development and operations to security and network teams. + +Hashicorp Vault:: +Provides a secure centralized store for dynamic infrastructure and applications across clusters, including over low-trust networks between clouds and data centers. + +This solution also uses a variety of _observability tools_ including the Prometheus monitoring and Grafana dashboard that are integrated with OpenShift as well as components of the Observatorium meta-project which includes Thanos and the Loki API. diff --git a/modules/trvlops-architecture.adoc b/modules/trvlops-architecture.adoc new file mode 100644 index 000000000..d3a51b1e9 --- /dev/null +++ b/modules/trvlops-architecture.adoc @@ -0,0 +1,54 @@ +:_content-type: CONCEPT +:imagesdir: ../../images + +[id="overview-architecture"] += Overview of the architectures + +The following figure provides a high level architectural overview of the travelops pattern. + +.Overview schematic diagram of the complete solution +image::travelops/ossm-arch-travelops.png[Physical Architecture,link="/images/travelops/ossm-arch-travelops.png"] + +Subsequent schematic diagrams provide details on: + +* Hybrid multi-cloud GitOps +* Dynamic security management + +[id="hybrid-multicloud-gitops"] +== Hybrid Multicloud GitOps + +The following figure provides a schematic diagram showing remaining activities associated with setting up the management hub and clusters using Red Hat Advanced Cluster Management. + +//figure 5 originally +.Schematic diagram of hybrid multi-cloud management with GitOps +image::multicloud-gitops/spi-multi-cloud-gitops-sd-security.png[Schematic diagram of hybrid multi-cloud management with GitOps] + +* Manifest and configuration are set as code template in the form of a `Kustomization` YAML file. The file describes the desired end state of the managed cluster. When complete, the `Kustomization` YAML file is pushed into the source control management repository with a version assigned to each update. +* OpenShift GitOps monitors the repository and detects changes in the repository. +* OpenShift GitOps creates and updates the manifest by creating Kubernetes objects on top of Red Hat Advanced Cluster Management. +* Red Hat Advanced Cluster Management provisions, updates, or deletes managed clusters and configuration according to the manifest. In the manifest, you can configure what cloud provider the cluster will be on, the name of the cluster, infrastructure node details and worker node. Governance policy can also be applied as well as provision an agent in the cluster as the bridge between the control center and the managed cluster. +* OpenShift GitOps continuously monitors the code repository and the status of the clusters reported back to Red Hat Advanced Cluster Management. Any configuration drift or in case of any failure, OpenShift GitOps will automatically try to remediate by applying the manifest or by displaying alerts for manual intervention. + +[id="dynamic-security-management"] +== Dynamic security management + +The following figure provides a schematic diagram showing how secrets are handled in this solution. + +//figure 6 originally +.Schematic showing the setup and use of external secrets management +image::multicloud-gitops/spi-multi-cloud-gitops-sd-security.png[Schematic showing the setup and use of external secrets management] + +* During setup, the token to securely access HashiCorp Vault is stored in Ansible Vault. It is encrypted to protect sensitive content. + +* Red Hat Advanced Cluster Management for Kubernetes acquires the token from Ansible Vault during install and distributes it among the clusters. As a result, you have centralized control over the managed clusters through RHACM. + +* To allow the cluster access to the external vault, you must set up the external secret management with Helm in this study. OpenShift Gitops is used to deploy the external secret object to a managed cluster. + +* External secret management fetches secrets from HashiCorp Vault by using the token that was generated in step 2 and constantly monitors for updates. + +* Secrets are created in each namespace, where applications can use them. + +//[id="slide-deck"] +//== Presentation +// +//View a short presentation slide deck about Multicloud GitOps link:https://speakerdeck.com/rhvalidatedpatterns/multicloud-gitops[here] diff --git a/modules/trvlops-demo.adoc b/modules/trvlops-demo.adoc new file mode 100644 index 000000000..881ac6093 --- /dev/null +++ b/modules/trvlops-demo.adoc @@ -0,0 +1,10 @@ +:_content-type: PROCEDURE +:imagesdir: ../../../images + +[id="demoscript-trvlops-pattern"] += TravelOps Demo Script + +[WARNING] +==== +TravelOps demo script is under construction. Will be posted shortly. +==== diff --git a/modules/trvlops-deploying.adoc b/modules/trvlops-deploying.adoc new file mode 100644 index 000000000..02d6ffe9f --- /dev/null +++ b/modules/trvlops-deploying.adoc @@ -0,0 +1,177 @@ +:_content-type: PROCEDURE +:imagesdir: ../../../images + +[id="deploying-trvlops-pattern"] += Deploying the TravelOps pattern + +.Prerequisites + +* An OpenShift cluster + ** To create an OpenShift cluster, go to the https://console.redhat.com/[Red Hat Hybrid Cloud console]. + ** Select *Services \-> Containers \-> Create cluster*. + ** The cluster must have a dynamic `StorageClass` to provision `PersistentVolumes`. See link:../../multicloud-gitops/mcg-cluster-sizing[sizing your cluster]. +* Optional: A second OpenShift cluster for multicloud demonstration. +//Replaced git and podman prereqs with the tooling dependencies page +* https://validatedpatterns.io/learn/quickstart/[Install the tooling dependencies]. + +The use of this pattern depends on having at least one running Red Hat OpenShift cluster. However, consider creating a cluster for deploying the GitOps management hub assets and a separate cluster for the managed cluster. + +If you do not have a running Red Hat OpenShift cluster, you can start one on a +public or private cloud by using https://console.redhat.com/openshift/create[Red Hat Hybrid Cloud Console]. + +.Procedure + +. Fork the https://github.com/validatedpatterns-sandbox/travelops[travelops] repository on GitHub. +. Clone the forked copy of this repository. ++ +[source,terminal] +---- +git clone git@github.com:your-username/travelops.git +---- + +. Create a local copy of the secret values file that can safely include credentials. Run the following commands: ++ +[source,terminal] +---- +cp values-secret.yaml.template ~/values-secret-travelops.yaml +---- ++ +[source,yaml] +---- +version: "2.0" +# Ideally you NEVER COMMIT THESE VALUES TO GIT (although if all passwords are +# automatically generated inside the vault this should not really matter) + +secrets: + - name: mysql-credentials + vaultPrefixes: + - global + fields: + - name: rootpasswd + onMissingValue: generate + vaultPolicy: validatedPatternDefaultPolicy + +# Uncomment the following if you want to enable HTPasswd oAuth +# - name: htpasswd +# vaultPrefixes: +# - global +# fields: +# - name: htpasswd +# path: '/path/to/users.htpasswd' +---- ++ +[WARNING] +==== +Do not commit this file. You do not want to push personal credentials to GitHub. If you do not want to customize the secrets, these steps are not needed. The framework generates a random password for the config-demo application. +==== + +. Customize the deployment for your cluster. Run the following command: ++ +[source,terminal] +---- +git switch -c my-branch +---- ++ +[source,terminal] +---- +vi values-hub.yaml +---- ++ +[source,terminal] +---- +git add values-hub.yaml +---- ++ +[source,terminal] +---- +git commit values-hub.yaml +---- ++ +[source,terminal] +---- +git push origin my-branch +---- + +. Deploy the pattern by running `./pattern.sh make install` or by using the link:/infrastructure/using-validated-pattern-operator/[Validated Patterns Operator]. + +[id="deploying-cluster-using-patternsh-file"] +== Deploying the cluster by using the pattern.sh file + +To deploy the cluster by using the `pattern.sh` file, complete the following steps: + +. Login to your cluster by running the following command: ++ +[source,terminal] +---- + oc login +---- ++ +Optional: Set the `KUBECONFIG` variable for the `kubeconfig` file path: ++ +[source,terminal] +---- + export KUBECONFIG=~/ +---- + +. Deploy the pattern to your cluster. Run the following command: ++ +[source,terminal] +---- + ./pattern.sh make install +---- + +[id="verify-trvlops-pattern-install"] +== Verify TravelOps Pattern installation + +. Verify that the Operators have been installed. + .. To verify, in the OpenShift Container Platform web console, navigate to *Operators → Installed Operators* page. + .. Set your project to `All Projects` and verify the operators are isntalled and have a status of `Succeeded`. +. Verify that all applications are synchronized. Under the project `travelops-hub` click the URL for the `hub` gitops `server`. ++ +image::travelops/ossm-sync-success.png[ArgoCD Applications,link="/images/travelops/ossm-sync-success.png"] + ++ +As part of this pattern, HashiCorp Vault has been installed. Refer to the section on https://validatedpatterns.io/secrets/vault/[Vault]. + + +[id="verify-trvlops-dashboards"] +== Verify installation by checking the TravelOps Dashboards + +. Access the Kiali and Travel Control dashboards + ++ +[source, terminal] +---- +KIALI=https://$(oc get route -n istio-system kiali -o jsonpath='{.spec.host}') +echo ${KIALI} + +CONTROL=http://$(oc get route -n istio-system istio-ingressgateway -o jsonpath='{.spec.host}') +echo ${CONTROL} +---- + ++ +When we see the 🔒 icon next to our applications and in the top right hand corner of the dashboard it confirms that mTLS is enabled and active in the mesh. + +* The "🔒" is present next to the logged in user in top right corner of the window. +* 7 applications in the `travel-agency` tile with the "🔒" next to `Istio config` +* 1 application in the `travel-control` tile with the "🔒" next to `Istio config` +* 3 applications in the `travel-portal` tile with the "🔒" next to `Istio config` + +. Review your Kiali dashboard ++ +image:travelops/ossm-kiali-db-arrows.png[Kiali Dashboard,link="/images/travelops/ossm-kiali-db-arrows.png"] + +[id="review-travelops-agency-svc"] +== Review Travel Agency Application Graph + +In the Kiali dashboard we can see how all of the various components interact with each other within the service mesh. Just to get a glimpse of what we are able to see let's take a look at the applications and services in the `travel-agency` namespace. + +In the left hand menu: + +* click Graph +* in the `Namespace` dropdown, select `travel-agency` +* exit the menu + +You should see all of the deployments and services that make up the travel-agency application. + +image:travelops/travel-agency-svc-kiali.png[Travel Agency,link="/images/travelops/travel-agency-svc-kiali.png"] diff --git a/static/images/travelops/kiali-db.png b/static/images/travelops/kiali-db.png new file mode 100644 index 000000000..5b763e4e4 Binary files /dev/null and b/static/images/travelops/kiali-db.png differ diff --git a/static/images/travelops/ossm-arch-travelops.png b/static/images/travelops/ossm-arch-travelops.png new file mode 100644 index 000000000..5b996428b Binary files /dev/null and b/static/images/travelops/ossm-arch-travelops.png differ diff --git a/static/images/travelops/ossm-kiali-db-arrows.png b/static/images/travelops/ossm-kiali-db-arrows.png new file mode 100644 index 000000000..08060f056 Binary files /dev/null and b/static/images/travelops/ossm-kiali-db-arrows.png differ diff --git a/static/images/travelops/ossm-kiali-db.jpg b/static/images/travelops/ossm-kiali-db.jpg new file mode 100644 index 000000000..ed3c0e5fe Binary files /dev/null and b/static/images/travelops/ossm-kiali-db.jpg differ diff --git a/static/images/travelops/ossm-kiali.png b/static/images/travelops/ossm-kiali.png new file mode 100644 index 000000000..057788cfb Binary files /dev/null and b/static/images/travelops/ossm-kiali.png differ diff --git a/static/images/travelops/ossm-sync-success.png b/static/images/travelops/ossm-sync-success.png new file mode 100644 index 000000000..0ba5d43c8 Binary files /dev/null and b/static/images/travelops/ossm-sync-success.png differ diff --git a/static/images/travelops/ossm-travelops-controlapp.png b/static/images/travelops/ossm-travelops-controlapp.png new file mode 100644 index 000000000..cb7720bb0 Binary files /dev/null and b/static/images/travelops/ossm-travelops-controlapp.png differ diff --git a/static/images/travelops/travel-agency-svc-kiali.png b/static/images/travelops/travel-agency-svc-kiali.png new file mode 100644 index 000000000..4770f6a6e Binary files /dev/null and b/static/images/travelops/travel-agency-svc-kiali.png differ