- A Linux, Mac or Windows computer able to run
bash
shell scripts. - An installed and configured container runtime (
docker
orpodman
) that your user has the privilege to execute within thatbash
shell.
NOTE: There is a folder named cluster
created in the vars
subdirectory referenced throughout these snippets. You can name it whatever you like and use it to isolate your cluster provisioning locally, just ensure that calls to run-playbook.sh
use the name of that folder instead of cluster
when the instructions say to call ./run-playbook.sh -c cluster
.
-
Clone this repository.
git clone https://github.com/jharmison-redhat/openshift-setup.git cd openshift-setup
-
Copy the example variables to a new variable directory
mkdir vars/cluster cp vars/cluster.example.yml vars/cluster/cluster.yml
-
One of several options:
- Provision an RHDPS cluster.
- From the RHPDS interface, request an OpenShift 4.5 workshop and enable LetsEncrypt for the cluster.
- Wait for the email from RHPDS with your cluster GUID and login information.
- Log in to your RPHDS cluster using
kubectl
oroc
and the credentials provided in the RHPDS email.
- Export your AWS account admin IAM credentials.
- Download and start a CodeReady Containers cluster.
- Provision an RHDPS cluster.
-
Edit
vars/cluster/cluster.yml
to change values. The file is commented and those comments should be read, as they explain what you may be intending to do. -
Deploy everything using your staged answers.
-
For a provisioned cluster, the command line should be simple:
./run-playbook.sh -c cluster cluster
-
For an RHPDS cluster, the command line should point to your default kubeconfig with your cached login from above:
./run-playbook.sh -c cluster -k ~/.kube/config cluster
-
For a CRC cluster, the command line should point to the default kubeconfig it stages from the installer:
./run-playbook.sh -c cluster -k ~/.crc/machine/crc/kubeconfig cluster
-
-
If you chose to change the console URL in the vars file, access your cluster at
console.apps.{{ cluster_name }}.{{ openshift_base_domain }}
- note that the Console route is shortened from the RHPDS provided and default console route. -
To deprovision a self-provisioned cluster, simply execute the destroy playbook with:
./run-playbook.sh -c cluster destroy
run-playbook.sh
has been developed to use the Dockerfile present to run the playbooks and roles inside a RHEL 8 UBI container image. This means you can use run-playbook.sh to package a new container image on the fly with your changes to the repository, satisfying dependencies, and then map tmp and vars in to the container. In order to enable multiple clusters being run with multiple containers, run-playbook.sh
requires a cluster name, and your variables should be structured into folders.
usage: run-playbook.sh [-h|--help] | [-v|--verbose] [(-e |--extra=)VARS] \
(-c |--cluster=)CLUSTER [-k |--kubeconfig=)FILE] [-f|--force] \
[[path/to/]PLAY[.yml]] [PLAY[.yml]]...
You should specify -c CLUSTER
or --cluster=CLUSTER
to define a container-managed cluster with a friendly name of CLUSTER. In this case, the container images will be tagged as devsecops-CLUSTER:latest
and when executed, vars will be mapped in from vars/CLUSTER/
, expecting to be the default name of cluster.yml
as needed. If you have a local ~/.kube/config
that you have a cached login (for example, as opentlc-mgr
), you should pass the path to that file with -k ~/.kube/config
or --kubeconfig=~/.kube/config
. run-playbook.sh
will copy that file into the tmp/
directory in the appropriate place for your cluster.
Because run-playbook.sh
stages the kubeconfig in this way, the cached logins from the playbooks will not back-propogate to your local ~/.kube/config
, so follow-on execution of oc
or kubectl
on your host system will not respect any changes executed in the container without using the kubeconfig in tmp/
- which you can do by exporting the KUBECONFIG
variable with the full path of that file, which is made easy by sourcing prep.sh
. prep.sh
will load a cluster's tmp directory into your $PATH
and export KUBECONFIG
for you so you can use oc
for that cluster version easily.
The -f
or --force
options are to force-overwrite a KUBECONFIG
file from a previous run. If you reuse a cluster name across multiple deployments, you will need this variable if you don't delete the tmp
directories (e.g. via destroy.yml
).
You can use the cluster name command line option to define multiple clusters, each with vars in their own subfolders, and execute any playbook from the project in the container. This means you could maintain vars folders for multiple clusters that you set up on the fly and provision or destroy them independently. They will continue to maintain kubeconfigs in their tmp
subdirectory, and will all map the appropriate vars
subdirectory for the cluster name inside of the container at runtime. Container images will only be rebuilt when the cache expires or a change has been made, so you can continue to make edits and tweaks on the fly while running this workflow.
Do note that the containers run, in a podman
environment, as your user - without relabelling or remapping them - but on a docker
environment they are running fully priveleged. This is more privilege than containers normally get in either environment. This is to ensure that the repository files are mappable and editable by the container process as it executes, without having to tinker with UIDMAP or permissions to support this.
Additionally, you can do any portion of the following the following to skip having to specify these variables or be prompted for them:
export DEVSECOPS_CLUSTER=personal # The cluster name for vars directory and container image name
./run-playbook.sh cluster
# ^--this is just a playbook name, present in playbooks/*.yml
We welcome pull requests and issues. Please, include as much information as possible (the git commit you deployed from, censored copies of your vars files, and any relevant logs) for issues.