Added updated SSP recipe, cleaned up hook generation - Githubissues

cloud-native-toolkit / multi-tenancy-gitops

Provides our opinionated point of view on how GitOps can be used to manage the infrastructure, services and application layers of K8s based systems

https://cloudnativetoolkit.dev/adopting/use-cases/gitops/gitops-ibm-cloud-paks/

Apache License 2.0

110 stars 730 forks source link

Added updated SSP recipe, cleaned up hook generation #294

Closed Knickkennedy closed 1 year ago

Knickkennedy commented 1 year ago

Signed-off-by: Knicholas Kennedy Knicholas.Kennedy@ibm.com

This is a pretty comprehensive cleanup and rework of the gitops configuration for the SSP containerized deployment.

hollisc commented 1 year ago

Please add a md file for the SSP recipe as well in the docs folder.

Knickkennedy commented 1 year ago

Please add a md file for the SSP recipe as well in the docs folder.

Fixed

hollisc commented 1 year ago

@Knickkennedy, in the recipe md file, can we provide the oc cmd for the user to retrieve the SSP URL and list the default credentials from the env file. Otherwise it looks good.

Knickkennedy commented 1 year ago

@hollisc added default credentials and route command!

hollisc commented 1 year ago

This PR depends on merge of https://github.com/cloud-native-toolkit/multi-tenancy-gitops-services/pull/61

vbudi000 commented 1 year ago

Just some comments on the documentation - maybe @Knickkennedy can put those in before the merge:

the RWO is a PVC access mode - not a memory (step 1 under Services customization)
formatting error on the line with ibmc-file-silver - You mentioned that this should be RWO per docs, but the template and storageclass you use are RWX and File
I suggest creating a template "ssp-env.sh" (or "ssp-env.sh.template" in the same path as "run-setup.sh" so that the passwords can then be modified. would be a lot easier for the user - or better yet - put the template on the top of run-setup.sh
the run-setup.sh should NOT creates the PVC and Secrets - it creates the YAML constructs for the PVC and Secrets which GitOps will apply

vbudi000 commented 1 year ago

Your run-setup.sh has an error that the kubeseal output is going to the terminal instead of a YAML file.

Here is the run-setup.sh that I use and working: https://github.com/vbudi-gitops-test/multi-tenancy-gitops-services/blob/master/instances/sterling-secure-proxy-setup/run-setup.sh

vbudi000 commented 1 year ago

Another - the list in SCC volumes should be alphabetical - otherwise it will show as OOS

vbudi000 commented 1 year ago

Several more:

May need to provide password requirement for SSP passphrase
Services must be "ClusterIP" instead of "LoadBalancer" otherwise it wont sync

Got error running the hook job - rsync is unavailable

pod/ibm-ssp-cm-ibm-ssp-cm-0 condition met
Defaulted container "ibm-ssp-cm-ibm-ssp-cm" out of: ibm-ssp-cm-ibm-ssp-cm, ibm-ssp-cm-ibm-ssp-cm-init-secret (init)
WARNING: cannot use rsync: rsync not available in container
Defaulted container "ibm-ssp-cm-ibm-ssp-cm" out of: ibm-ssp-cm-ibm-ssp-cm, ibm-ssp-cm-ibm-ssp-cm-init-secret (init)
tar: defkeyCert.txt: Cannot stat: Permission denied
tar: Exiting with failure status due to previous errors
error: error creating remote tar of source directory: command terminated with exit code 2
error: error reading ./tmp/defkeyCert.txt: no such file or directory
error: no objects passed to apply

vbudi000 commented 1 year ago

Hook job does not work - my modified version is here (and it works) https://github.com/vbudi-gitops-test/multi-tenancy-gitops-services/blob/master/instances/sterling-secure-proxy-hook/keycert-hook-job.yaml maybe can use this one - the problem that I found is the cm sts is using group 1000, so it cannot access the PVC as is with oc rsync or oc cp; and as the pvc is RWX, you can just mount it

vbudi000 commented 1 year ago

All pods are running, but the last verification steps to connect to CM cant get through; the cm sts logs has this:

Exception in thread "qtp432306461-24" java/lang/NoClassDefFoundError: com.ibm.oti.util.Msg
at java/lang/ThreadGroup.uncaughtException (ThreadGroup.java:867)
at java/lang/ThreadGroup.uncaughtException (ThreadGroup.java:861)
at java/lang/Thread.uncaughtException (Thread.java:1336)

vbudi000 commented 1 year ago

Summary:

Some suggestions on the docs (PVC RWO/RWX, mod the env variables, password rule, f/up with the updates below)
Modification of run-setup.sh https://github.com/vbudi-gitops-test/multi-tenancy-gitops-services/blob/master/instances/sterling-secure-proxy-setup/run-setup.sh
Modification of the hook job: https://github.com/vbudi-gitops-test/multi-tenancy-gitops-services/blob/master/instances/sterling-secure-proxy-hook/keycert-hook-job.yaml
Verification needs to be re-checked

davidstacy commented 1 year ago

can this be merged? anyone test recently? @hollisc @vbudi000

davidstacy commented 1 year ago

can this be merged? anyone test recently? @hollisc @vbudi000

hollisc commented 1 year ago

can this be merged? anyone test recently? @hollisc @vbudi000

@Knickkennedy , can you please have a look at Budi's comments above, I believe we were waiting for those changes to get into the PR before merging.

davidstacy commented 1 year ago

@Knickkennedy @hollisc following up - can this be merged?