Skip to content

Latest commit

 

History

History
77 lines (63 loc) · 2.45 KB

rhc4tp-cluster.md

File metadata and controls

77 lines (63 loc) · 2.45 KB

RHC4TP OpenShift Cluster Setup

The release pipeline publishes bundle images to registry.connect.redhat.com. The registry behind that address is the RHC4TP OpenShift cluster. The following steps must be performed to prepare the RHC4TP clusters for use by the pipeline.

  1. Login to the chosen cluster

  2. Create a service account

    oc create sa operator-pipelines -n default

  3. Create a kubeconfig for the service account. It should be stored in the repository Ansible Vault.

    clusterName=dev
namespace=default
serviceAccount=operator-pipelines
server=$(oc cluster-info | grep "is running at" | sed "s/Kubernetes master//" | sed "s/ is running at //")
# Sometimes the token secret is first in the serviceAccount, sometimes it's second after Dockerconfig
secretName=$(oc --namespace $namespace get serviceAccount $serviceAccount -o jsonpath='{.secrets[1].name}')
ca=$(oc --namespace $namespace get secret/$secretName -o jsonpath='{.data.ca\.crt}')
token=$(oc --namespace $namespace get secret/$secretName -o jsonpath='{.data.token}' | base64 --decode)

echo "
---
apiVersion: v1
kind: Config
clusters:
  - name: ${clusterName}
    cluster:
      certificate-authority-data: ${ca}
      server: ${server}
contexts:
  - name: ${serviceAccount}@${clusterName}
    context:
      cluster: ${clusterName}
      namespace: ${serviceAccount}
      user: ${serviceAccount}
users:
  - name: ${serviceAccount}
    user:
      token: ${token}
current-context: ${serviceAccount}@${clusterName}
"

  4. Grant the service account the permissions to create projects and manage existing ones. Permissions are this high as we have to update roles in projects created by other service accounts.

    oc adm policy add-cluster-role-to-user cluster-admin -z operator-pipelines -n default

  5. Create the dockerconfig secret, containing the credentials to registry that stores the images to be published

    cat << EOF > registry-secret.yml
apiVersion: v1
kind: Secret
metadata:
  name: registry-dockerconfig-secret
data:
  .dockerconfigjson: < BASE64 ENCODED DOCKER CONFIG >
type: kubernetes.io/dockerconfigjson
EOF

oc create -f registry-secret.yml

  6. Link this secret with the created service account

    oc secret link operator-pipelines registry-dockerconfig-secret