Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixes to enable Admiralty on OpenShift #134

Open
wants to merge 9 commits into
base: master
Choose a base branch
from
Open

Fixes to enable Admiralty on OpenShift #134

wants to merge 9 commits into from

Conversation

hfwen0502
Copy link

  • Helm Chart: Fixed the RBAC changes to work with OpenShift. The changes have also been tested on Kubernetes clusters.
  • Documentation: Added a file explaining how to create a kubeconfig secret for OpenShift.

@hfwen0502 hfwen0502 mentioned this pull request Jan 28, 2022
Open
adrienjt
adrienjt requested changes Jan 31, 2022
View reviewed changes
Copy link
Contributor

@adrienjt adrienjt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for submitting this pull request.

charts/multicluster-scheduler/templates/cr.yaml Outdated Show resolved Hide resolved
charts/multicluster-scheduler/templates/cr.yaml Show resolved Hide resolved
docs/tutorials/ocp-ibm.md Outdated

The [quick start guide](https://admiralty.io/docs/quick_start) provides clear instructions how to use Admiralty on Kubernetes clusters. The only
thing you need to pay special attention to is how to create a kubeconfig secret that would work in your OpenShift cluster on IBM Cloud. This tutorial will
guide you how to create the kubeconfig secret when you use the Red Hat OpenShift on IBM Cloud service.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this only work between ROKS clusters or would it also work to connect any source cluster (e.g., IKS, kind, etc.) to a target ROKS cluster?

Copy link
Author

@hfwen0502 hfwen0502 Feb 1, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The ROKS cluster will work with any IKS cluster. I have tested this using one ROKS cluster and one IKS cluster.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay, please update the doc to make that clear.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

doc is updated.

docs/tutorials/ocp-ibm.md
user:
token: <service account token>
```
The fields, client-certificate and client-key, are being removed and certificate-authority-data and token fields are added.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you use jq to edit the downloaded kubeconfig, like in the quick start guide, to make this more foolproof/automatisable?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure. I can provide the jq command. Shall I create another PR ?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, please update this PR to use jq.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You now get the config twice, and the CA cert twice... this could be simplified.

Actually, I'm thinking this should become part of the quick start page itself. Using Tabs/TabItem, the user could select between kind and Red Hat OpenShift on IBM Cloud. (We'd add GKE/EKS/AKS tabs too later.) What do you think?

docs/tutorials/ocp-ibm.md Outdated Show resolved Hide resolved
hfwen0502 and others added 2 commits February 4, 2022 14:12
@hfwen0502
Update ocp-ibm.md
a2d1348 
update based on the feedback from Adrien Trouillaud
adjust verbs for pods/finalizers and remove sources
72fa31c
adrienjt
adrienjt requested changes Feb 8, 2022
View reviewed changes
charts/multicluster-scheduler/templates/cr.yaml Outdated Show resolved Hide resolved
docs/tutorials/ocp-ibm.md
user:
token: <service account token>
```
The fields, client-certificate and client-key, are being removed and certificate-authority-data and token fields are added.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You now get the config twice, and the CA cert twice... this could be simplified.

Actually, I'm thinking this should become part of the quick start page itself. Using Tabs/TabItem, the user could select between kind and Red Hat OpenShift on IBM Cloud. (We'd add GKE/EKS/AKS tabs too later.) What do you think?

@hfwen0502
Copy link
Author

For the suggestions to incorporate OpenShift in the quick start guide, I am not sure how we would easily incorporate that in. The quick start guide just focused on clusters created by kind.

I do not understand your comments about getting CA and config twice. Users can just include those commands to create a new kubeconfig secret based on the original one. They do not need to manually prepare a modified kubeconfig. The part to compare the original kubeconfig and the modified kubeconfig is just for the explanation purpose.

@adrienjt adrienjt mentioned this pull request Feb 15, 2022
Closed
@adrienjt
Copy link
Contributor

For the suggestions to incorporate OpenShift in the quick start guide...

You'd also provide RHOKS equivalents for kind create cluster and other kind-specific commands.

I do not understand your comments about getting CA and config twice...

As is, explanations read like instructions, which is confusing. For example:

  • "Let's modify the config file" implies that the file should be modified in an editor, but jq makes that unnecessary.
  • "For the token part, you can follow the instructions in the quick start guide to get the service account token." redirects to the quick start guide but relevant commands are now included here.
  • CA_DATA is not used. curl is called again to create the CA_CERT variable.

@hfwen0502
Copy link
Author

Ok. Now I understand the comments about getting CA and config twice. Certainly can improve it.

There is no simple CLI command to create an OpenShift cluster on IBM Cloud. The best way I would recommend is to do it through the web console. That's why I included a doc link there regarding how to create OCP on IBM Cloud.

@hfwen0502
Copy link
Author

I don't know if it makes sense to use a long command like this:

ibmcloud oc cluster create vpc-gen2 -h
NAME:
        vpc-gen2 - Create a cluster with worker nodes on Virtual Private Cloud (VPC) Gen 2 infrastructure.

USAGE:
        ibmcloud ks cluster create vpc-gen2 --flavor FLAVOR --name NAME --subnet-id ID --vpc-id ID --zone ZONE [--disable-public-service-endpoint] [--entitlement ENTITLEMENT] [--pod-subnet SUBNET] [-q] [--service-subnet SUBNET] [--version VERSION] [--workers COUNT]
    
PARAMETERS:
    --name value                       Enter a name for the cluster.
    --zone value                       Specify the zone for the worker pool in a multizone cluster. To list available zones, run 'ibmcloud ks zone ls'.
    --vpc-id value                     The ID of the VPC in which to create the worker nodes. To list available IDs, run 'ibmcloud ks vpcs'.
    --subnet-id value                  The VPC subnet to assign the cluster. To list available subnets, run 'ibmcloud ks subnets --provider vpc-classic --vpc-id <vpc-id> --zone <vpc-zone>'.
    --flavor value                     The flavor of the worker node. To see available flavors, run 'ibmcloud ks flavors --zone <zone name>' (for public IBM Cloud accounts) or 'ibmcloud ks flavors' (for IBM Cloud Dedicated accounts).
    --entitlement value                Set this flag to 'cloud_pak' only if you use this cluster with a Cloud Pak that has an OpenShift entitlement.
    --service-subnet value             Specify a custom subnet CIDR to provide private IP addresses for services. The subnet must be at least '/24' or larger. For more info, see 'https://ibm.biz/service-subnet' Default value: '172.21.0.0/16'
    --pod-subnet value                 Specify a custom subnet CIDR to provide private IP addresses for pods. The subnet must be at least '/23' or larger. For more info, see 'https://ibm.biz/pod-subnet'
    --workers value                    The number of worker nodes per zone in the default worker pool. (default: 1)
    --disable-public-service-endpoint  Disable the public service endpoint to prevent public access to the master.
    --version value                    Specify the Kubernetes or OpenShift version, including at least the major.minor version. If you do not include this flag, the default version is used. To see available versions, run 'ibmcloud ks versions'.
    -q                                 Do not show the message of the day or update reminders.

@adrienjt
Copy link
Contributor

ibmcloud oc cluster create vpc-gen2

Yes, something like that.

We're about to release Admiralty 0.15 and I'd like to make it compatible with OpenShift. Since the doc change might take a while, could you please create a separate PR for the chart RBAC change, so I can merge that already?

@hfwen0502
Copy link
Author

Sure. This is the new pull request: #144.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@adrienjt adrienjt adrienjt requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@hfwen0502 @adrienjt