GithubHelp home page GithubHelp logo

edge-virt's Introduction

ACM Hub Bootstrap

Prerequisites

  • A Unix-like system (actually needs to be Linux, sorry Mac users)
  • make
  • curl
  • ssh-keygen
  • podman, or docker with export RUNNER=docker (used to run yq in a container)

Usage

  1. Create an RHDP Open Environment with a suitable timeout

  2. Edit install-config.yaml, changing the base domain to the top-level Route53 domain for your environment (or bring your own domain, configuration not described here).

    • Note: You can edit other things in the file as well, changing the instance count or specifying the instance type of the cluster or selecting an alternative region for example.

  3. Grab your Pull Secret from the Red Hat Console and export the variable in your terminal:

    export PULL_SECRET='<paste here>'

  4. Export the variables for API access to AWS from your Open Environment in the same terminal:

    export AWS_ACCESS_KEY_ID='<paste here>'
export AWS_SECRET_ACCESS_KEY='<paste here>'

  5. Optionally, place these lines in a file named .env at the repository root

  6. Generate an age secret for ArgoCD to use to decrypt chart secrets

  7. Generate bootstrap/age-secret.yaml with the following content:

    apiVersion: v1
kind: Secret
metadata:
  name: helm-secrets-private-keys
  namespace: openshift-gitops
type: Opaque
data:
  argo.txt: <base64-encoded copy of your age secret>

  8. Run make

  9. Configure the git repository with a deploy key, pasting in the contents of install/argo_ed25519.pub.

  10. Wire up the appropriate secrets for on-cluster activities like the equivalent key in secrets.yaml for the secret access key that cert-manager needs to answer DNS challenges. There are other things in the applications, those are out of scope for the readme.

What it does (updated as we add things)

  1. Downloads the latest OpenShift 4.15 stable installer
  2. Generates an SSH key for use with this cluster
  3. Templates the install-config.yaml file with your pull secret and the generated SSH key
  4. Installs OpenShift on AWS using IPI
  5. Bootstrap that OpenShift cluster by installing OpenShift GitOps and wiring it with an app-of-apps that watches the applications/ directory of this repository, applying all ArgoCD Applications to the cluster.
    1. cert-manager for trusted TLS certificates for the cluster from LetsEncrypt
    2. OAuth configuration for a GitHub organization, and definition of cluster-admins
    3. ACM and a default MultiClusterHub resource, including configuring the MultiClusterEngine and Assisted Service
  6. Configures InfraEnvs for Assisted Service per location
    1. harmison-house - this is the home network of James Harmison, deliberately not exposed to the internet
  7. Configure a ManagedClusterSet for this InfraEnv and a default env-wide Placement resource for policy
  8. Uses an ApplicationSet to template out managed cluster provisioning activities
    1. The following clusters are provisioned right now:
      1. small-post-1, a SNO instance in harmison-house
    2. For each of these clusters, the following is created:
      1. All of the necessary Assisted Installer configuration to adopt the node (still requires manual approval, on purpose)
      2. An ACM ManagedCluster resource to enable the cluster to phone home to register
      3. The necessary configurations so that, when the cluster provisions, it phones home to the ACM hub and registers itself, installing the necessary Klusterlets
  9. Manages certificates for all managed clusters by using the cert-manager instance on the Hub to request certificates and a Policy that is bound to each individual cluster to deploy only the TLS key material and enforce its use for the API server and default wildcard OpenShift Routes.
    1. This is deployed as a Policy, which means that the ACM hub tracks enforcement of the certificates as they relate to NIST SP 800-53, and we've marked compliance as related to SC-12 for Cryptographic Key Establishment and Management. This context being associated with the configuration makes audits easier.
  10. Begins

edge-virt's People

Contributors

jharmison-redhat avatar doshackathon avatar khair-rh avatar kellyhair avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.