Openshift
IVAAP Openshift Deployment Dependencies¶
This guide will highlight details specific to deploying the IVAAP Helm Template into an Openshift cluster. There are no special requirements for the cluster, but it is important that the worker nodes are large enough to accomodate the backend pod. For details, refer to the Multi-host Orchestration Environments of the IVAAP Technical Datasheet.
It is important to note - this guide does not go into full deployment and configuration details. This guide only contains deployment details specific to Openshift deployments. Throughout this guide, there will be links referencing to other guides. The primary guide for deployment configuration is the General Helm Configuration Guide.
Configuring Helm for Openshift¶
The IVAAP Helm template is universal, and the only major difference between cluster types is the ingress controller that is created. To ensure IVAAP uses the correct ingress controller for your cluster, .Values.environment.type.openshift.enabled must be set to true.
environment:
type:
openshift:
enabled: ''
PostgreSQL Database¶
At this time, we do not support a Postgres operator available on Openshift. If your Openshift cluster is deployed in AWS ROSA, we recommend using the RDS Postgres service. Likewise, if your Openshift is deployed in Azure, we recommend using the Azure Managed Postgres service. For other deployment methods of openshift, it may be best to run an external, self-hosted PostgreSQL server.
For in-depth details on setting up this database, refer to IVAAP Deployment Operations Guide - Database Administration.
Additionally, refer to the PostgreSQL section of the IVAAP Technical Data Sheet.
IVAAP Secrets¶
Native Kubernetes Secrets¶
The only supported method for handling secrets for IVAAP in Openshift is by using Native Kubernetes secrets.
For steps on how to configure kubernetes secrets, refer to General Helm Configuration Guide's section on native kubernetes secrets.
Ingress¶
Router Canonical Hostname¶
In Openshift deployments, we use a route ingress controller.
environment:
type:
openshift:
enabled: ""
routerCanonicalHostname: ""
# ----- In openshift, you have the option of adding TLS certificate and key via Kubernetes secret (.Values.environment.TLSSecret),
# ----- or by passing the TLS certificate and key directly to route.yaml via the values below.
# ----- Passing as kubernetes secret is the recommended option.
tlsCertificate: ""
tlsKey: ""
For configuring Openshift deployments, the value for routerCanonicalHostname should be the domain of your Openshift router. To piece together this value, first get the Ingress domain used by the cluster:
[user@openshift ~]$ oc get ingress.config.openshift.io cluster -o jsonpath='{.spec.domain}'
apps.ivaap-k8.int.com
Next, get the router name. OpenShift uses router-default by default. To confirm:
[user@openshift ~]$ oc get pods -n openshift-ingress
NAME READY STATUS RESTARTS AGE
router-default-698797c96-nnsmc 1/1 Running 0 99d
In this particular case, the value of routerCanonicalHostname will be router-default.apps.ivaap-k8.int.com.
TLS Certificate and Key¶
In the Openshift route, there are two methods for applying TLS:
- Create a Kubernetes secret and set
.Values.environment.TLSSecret.enabledto true. - Directly pass your TLS Certificate and Key as values.
.Values.environment.type.openshift.tlsCertificateand.Values.environment.type.openshift.tlsKey
Only one method should be chosen. If .Values.environment.TLSSecret.enabled is set to false, IVAAP Helm will assume the values will be passed into Helm directly.
TLS Kubernetes Secret¶
For steps on how to create and configure TLS Secret, refer to General Helm Configuration Guide's section on TLS Secret.
Directly Passing TLS as Values¶
The certificate and key can be passed as values through Helm.
environment:
type:
openshift:
enabled: true
routerCanonicalHostname: "router-default.apps.ivaap-k8.int.com"
tlsCertificate: |
-----BEGIN CERTIFICATE-----
MIIDWTCCAkGgAwIBAgIUXUQ6LhE9ZC8vx4VvRoZ4j6Of9XYwDQYJKoZIhvcNAQEL
BQAwTzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRMwEQYDVQQHDApTYW4gSm9z
ZTEYMBYGA1UEAwwPYXBwcy5pdmFhcC1rOC5jb20wHhcNMjUwODAxMDAwMDAwWhcN
MjYwODAxMDAwMDAwWjBPMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExEzARBgNV
BAcMClNhbiBKb3NlMRgwFgYDVQQDDA9hcHBzLml2YWFwLWs4LmNvbTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKD5R+2NQyOl+O2HXbH7q3I82S3DZoZ7
6J9H6gP9eB5RL3cQFSz+5q1Ckz8mULR1ZJ/FvJKJHHVcVnLg79uCzqTcFeEVRkYa
jS0+8EVU8s8Q5Z0zLZnKz7vw+wYbL6eqzv1HT35SnPbUO9YjPBKiT9l7DFVrF/kI
C0+JZJvYkpYCxgH20bDk7P/7m8sxq0Ri2QdeVE79bsGJoMe4mFNZ0SxgT0CPxMbX
jZpzFlrM1O4EO+6Vhrz5DDxZq+Y3H9f4w5KzMVpXOK0iK7ty1ITwTpg7Mu69GIfT
4s7NL3XkK9DJJYwZhMzPKoR6Y5EuWvlYZAPcM3LLWyEP4EfZ3+QNUhMCAwEAAaNT
MFEwHQYDVR0OBBYEFMo94MIaPzm3jxqHxO6EInXJeHZpMB8GA1UdIwQYMBaAFMo9
4MIaPzm3jxqHxO6EInXJeHZpMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEL
BQADggEBAAm3S7LEuWZnLM+Yx7GEZa2fRGLQu37LrLZwvN8iyx4Xwz0BF/9NQxDN
5sCq0H3JHc2o5ctXGUilNQdcWjWu+oy4J8dZ+EJhP7tFdpGQmFKo4VPxJKg3qV9J
P19QGwH6I4cehq+HFc3X8P2dArktQALTPPVk82Z0aDqAzp9I9F4mOnRS5mYeYZzL
3AKe91sZK8pQOXYjDJnXEBN2hf3F93JIo6b1ok+zO4RrgZsXgO2Xrp1HdYVqQmL7
lHxVqgE4eCB0u6vK4EQ5v9vK1OeK9FJeOf1cA+AzQTr1m5M0gLlpx/EV0nDb4WJx
kK97H6RqgW+u6cBiwkCE5K+6BeGjKJc=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDdzCCAl+gAwIBAgIEbTF7zjANBgkqhkiG9w0BAQsFADBoMQswCQYDVQQGEwJV
UzELMAkGA1UECAwCQ0ExEDAOBgNVBAcMB1JlZG1vbmQxEzARBgNVBAoMCkV4YW1w
bGUgQ28xEzARBgNVBAsMCkVuZ2luZWVyaW5nMRUwEwYDVQQDDAxFeGFtcGxlIFJv
b3QwHhcNMjAwMTAxMDAwMDAwWhcNMzAwMTAxMDAwMDAwWjBoMQswCQYDVQQGEwJV
UzELMAkGA1UECAwCQ0ExEDAOBgNVBAcMB1JlZG1vbmQxEzARBgNVBAoMCkV4YW1w
bGUgQ28xEzARBgNVBAsMCkVuZ2luZWVyaW5nMRUwEwYDVQQDDAxFeGFtcGxlIFJv
b3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7RMmMZwY0iD+zCr+U
Ab2a7RYijFNhzkxrbx/8qTxEtgDUEZQoyRW6qzYe5duq5A7HyL2MNOMZdUs5TRzN
pOj4AQqDCh5qV2f8MTh3o7OyHlyTL0zCblJUpEKVfNLGWoZ9k7FFbFbexy6OB4rE
m8UBkQZT2QoTnXy13fKn0bUAnq4VxGPxFGn8WZPyF5UQgr3e8IYmIQ1jXKQo9rMI
+cgMwGuWgeGQzwnigq8j6iBrHgiJeCGrAVz3g5gTdtNFGFmsCeAOpQeT3SgkAyMP
uF89C6RFOOyz4G7Zf8yoqxzKwYjNQZFAaHpg0hFXVYDbovaxr2hOPb7GVyyNi23t
AgMBAAGjUDBOMB0GA1UdDgQWBBR6EeYQgaog1Z+RbbD1kT71WqUw4zAfBgNVHSME
GDAWgBR6EeYQgaog1Z+RbbD1kT71WqUw4zAMBgNVHRMEBTADAQH/MA0GCSqGSIb3
DQEBCwUAA4IBAQCYwTR8YwUc7u2eVP8PhR3yFPJHoEWT+7XHEUFC9TR8T0APYY4F
sV9OLjAxl2zj9o9ZlwBKHYMfpUklwS2p8m9Ulfswn7p4cKdfUEkx9xYzXrbM98C6
3INHQl5nP7aU69W6bTbyLwogcCNs+0lMZKX6JhPb1J/x3kNF04gAdc+OLqShmBhT
PBrmYmQLkT13wYI3hniTxuEQoFmgLU7OyyK5V3tNjEOB8BltDxg0hcycAaKtL+7z
xOytLSxUvhAjZoU7UuV0xzDqAy2CilKnobcvpNEnqepnq79e/3ePskDgZsRMfK9x
eGUCrzrcKXfXgBGRTIkT7CwodR1TkcnF3lb7
-----END CERTIFICATE-----
tlsKey: |
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCnVl3HczsXTKcd
EGr+cxhZydPbEY6zQ+RG3bz2BfYjKlG/7OpWJ7YXZeh6/6iLhI+Stc+TClAo6Q2C
ZONFEfheSoPQJ6USUOp/Nz3ZZKuEvLNjApVSwPDHyEoXYf+vh9+WHXjXbK7MaTjJ
2OR1O9YXrXWpp5LbQAsMIQ/0Amlp1z+KoYcQlM01hvwlH+cAdV6zVZTZBJ0DRovB
vJYzk6Nn3TmhFkqQv7uDFmT3IypcIgZTVrdiEahp9o8tAbMYM6lStDkGJhtakccY
If/0TVZ5Os4XohQO8a0A8RPtR3PeZSzNR1ZkVcplfe7BbO/ue1zHovEIXY9eKjOz
WnxLrOvLAgMBAAECggEAIy7aP1FzA+lvKfA3Mf25G20OVk4tPXogcQMPzuwZB0tf
R6OlmNZzvOQnIzqY2ThpNH/hugUn5v6EdZ7uK0kCKmk7Oes0DKR6WvFAG7qUzU+m
kOZ9kjFY9fn0VfsA8lb+68uPIgK+Bg2pCTNlsEjtx7HPCoQp+db/WLFS5RQ15NoY
FAjJ+71ESrSwRDTZZ4S4zFK7MJoayZKE+3FPu3uyW1xxb4Z5Qp6i1Z5AtsHLohFJ
yjV4np0pl4vUrb62xRAb8IQz26uYh+zlfLbE3yQgK2D9WFi+V2vPrz9vNs4LPPkQ
xgE5a9gyGB+qaTjTxxOkUvN8kdmyDH7bPz8Mf+IwEQKBgQDg5EzAyogSNOuYQk8M
uZhxZJfkc4fAW1A1ku9tPt1r2NFd2QlvDwI5Fe+qKgH2ZC2NDIqvNWDBFmkbs9ZQ
j52g3KXbpX5T+OIPD8mv7qKFVw4nv3nU3vnG2M3o5z/DFNsg0BHOaUPPkJ0mZJuB
4wlXN4VCWW7HZvAiYXUlHe2coQKBgQDBfbXCCtnYg+9TD9AzWhK0c5Z7AeIUX5Be
0t6epm5p+l4xK/6CUQK6ACc/k3X77Vm53UlsYiehyDkY0hhrIwvxGE0VZUzS7zVd
pYm1c/cvX6Wkt9T8QgRT2JmtEF8WbNiWwIURpsE2+Tz7i+3NEk6c4XlACNbsLzKe
7yOGbfyQ4wKBgDrRQO+LZsG1Yv56IDqlMFgoFqgFTkVoFzo4PpEObbs25XsK/cZT
Jo1rYTTZ2HVb+qwCsgQk3bJmGbvLRdfKMWj7o1PlVGopUIoL6NrbMwbE8M+Y8FAR
R3Uq/FfxJkFpkndtCEuQZ5VFF4EDdQCHNPSsEK2RiyRj+zOxdcOV7FlBAoGAbqL/
N8YmvKq56R6TW7ZexB4Z8yA0ofr2ilzBL8YgT0PtcC4ywv+P0c4N8crjHslVzliS
LXznFyUOmbnCQk4qE7g/nZKDiUmzzKHh4sHuFLqzXDFn1GnY3z+MXqNiJhHLzRgf
ypaX8tEGbJ3+S7xywOv9yP82Te2dS8Ygn6yVRxECgYB5NGI3oFJ/ul0Y1MRgNQHy
TN8YjqyH2CJfmg6W6HBlMKhMxUJ2MuYOw8OMeoHXWbwFIfAnQOTutw3KlM7MOrje
eOdpvPb4MEWjK9STbDG91O0eEYkdGpnA9f4+zBWW2+wEZfTHbKT2lm5idUSVAK+u
qmjilI5ylmIuWZbDyR0nPA==
-----END PRIVATE KEY-----
Since the certificate and key are in plain text, this method is only recommended if deploying from a pipeline. It is not recommended to have these as plain text in the deployment yaml.