Openshift 4.5 Training

title: “Openshift 4.5 Training”
date: 2020-10-22T13:13:33
slug: openshift-4-5-training

Controlling access to OpenShiftresources
• Remove the ability to create projects at the cluster level.
• Grant groups the ability to create projects.
• Manage user privileges in projects by granting privileges to groups.
• Use security context constraints to give extra privileges to service accounts.
• Use secrets to provide sensitive information to deployments.

  1. Log in to your OpenShift cluster as the admin user and remove the ability to create projectscluster wide.

  2. Create a group named wp-mgrs for the WordPress managers and grant project creationprivileges to it. Add the leader user to the group and create the authorization-reviewproject as the leader user.

  3. Create a group named wp-devs and grant edit privileges on the authorization-reviewproject. Add the developer user to the group.

  4. Create a group named wp-qa and grant view privileges on the authorization-reviewproject. Add the qa user to the group.

  5. Allow the wordpress application to run as root: create a service account namedwordpress-sa and grant the anyuid SCC to it.

  6. As the developer user, create a secret named review-secret, which you will use with theMySQL database and WordPress applications.The secret should include three key-value pairs: user=wpuser, password=redhat123, anddatabase=wordpress.

  7. Deploy a MySQL database application named mysql using the image located atregistry.access.redhat.com/rhscl/mysql-57-rhel7:5.7-47. After it wasdeployed, modify the deployment to use the review-secret secret, as environmentvariables with the MYSQL_ prefix.

  8. Deploy a WordPress application named wordpress using the container image located atdocker.io/library/wordpress:5.3.0. Add the WORDPRESS_DB_HOST=mysql andWORDPRESS_DB_NAME=wordpress environmental variables when creating the application.Once deployed, modify the wordpress deployment to use the review-secret secretas environment variables with the WORDPRESS_DB_ prefix. The application needs theseadditional variables to connect to the database. Because the wordpress application needsextra privileges, assign the wordpress-sa service account to it.

  9. As the qa user, verify the mysql database and wordpress application status and try tomake a change to the wordpress deployment.

Configuring OpenShift NetworkingComponents
• Deploy an application and configure an insecure route.
• Generate a TLS certificate for an application.
• Configure a pass-through termination route for an application with a TLS certificate.

  1. As the OpenShift developer user, create the network-review project.

  2. As the developer user, deploy the first insecure version of the PHP-SSL application in thenetwork-review OpenShift project. Use the resources file available at ~/DO280/labs/network-review/php-http.yaml.Before deploying the application, make the necessary changes to the file, namely, thelocation of the container image and the port on which it listens.After creating the application, wait a few moments to ensure that one pod is running.

  3. Create a route named php-http, with a host name of php-http.apps.ocp4.example.com, to access the application. From workstation, use Firefox to access http://php-http.apps.ocp4.example.com. Confirm the availability of the application beforeproceeding to the next step.

  4. Generate and sign a TLS certificate for the encrypted version of the application.Create a certificate signing request (CSR) for the php-https.apps.ocp4.example.comhostname. Save the CSR to ~/DO280/labs/network-review/certs/training.csr.Use the CSR to generate a certificate and save it to ~/DO280/labs/network-review/certs/training.crt. To generate the certificate, pass as arguments the CA accessible at~/DO280/labs/network-review/certs/training-CA.pem and the CSR.You can use the ~/DO280/labs/network-review/certs/openssl-commands.txttext file for help. This file contains the commands for generating the certificate signingrequest and the certificate. Make sure to replace the values in the file before copying andrunning the OpenSSL commands.

  5. As the developer user, create an OpenShift TLS secret named php-certs inthe network-review project. Use ~/DO280/labs/network-review/certs/training.crt for the certificate and ~/DO280/labs/network-review/certs/training.key for the key.

  6. Use the resources file, available at ~/DO280/labs/network-review/php-https.yaml,to deploy the second, secure version of the PHP-SSL application. Deploy the application inthe network-review OpenShift project.Before deploying the application, make the necessary changes to the resources file, namely:
    • The location of the container.
    • The port the application listens on.
    • The name of the secret to mount as a volume.

  7. Create a secure pass-through route named php-https, with a host name of php-https.apps.ocp4.example.com, to access the secure version of the application.From workstation use Firefox to access https://php-https.apps.ocp4.example.com. Accept the signed certificate and confirm theavailability of the application.

  8. Optional step: from workstation, use curl to access the HTTPS version of theapplication.

  9. Return to your home folder as the lab network-review finish command will delete thenetwork-review folder

Controlling Pod Scheduling
• Add a new label to nodes.
• Deploy pods to nodes that match a specified label.
• Request CPU and memory resources for pods.
• Configure an application to scale automatically

  1. As the admin user, label two nodes with the tier label. Give the master01 node the labelof tier=gold and the master02 node the label of tier=silver

  2. Switch to the developer user and create a new project named schedule-review.

  3. Create a new application named loadtest using the container image located at quay.io/redhattraining/loadtest:v1.0. The loadtest application should be deployed tonodes labeled with tier=silver. Ensure that each container requests 100m of CPU and20Mi of memory.

  4. Create a route to your application named loadtest using the default (automaticallygenerated) host name. Depending on how you created your application, you might needto create a service before creating the route. Your application works as expected if runningcurl http://loadtest-schedule-review.apps.ocp4.example.com/api/loadtest/v1/healthz returns {“health”:”ok”}.

  5. Create a horizontal pod autoscaler named loadtest for the loadtest application thatwill scale from 2 pods to a maximum of 40 pods if CPU load exceeds 70%. You can test thehorizontal pod autoscaler with the following command: curl -X GET http://loadtest-schedule-review.apps.ocp4.example.com/api/loadtest/v1/cpu/3

  6. As the admin user, implement a quota named review-quota on the schedule-reviewproject. Limit the schedule-review project to a maximum of 1 full CPU, 2G of memory,and 20 pods.

Managing the Cluster with the WebConsole
• Modify a secret to add htpasswd entries for new users.
• Configure a new project with role-based access controls and resource quotas.
• Use an OperatorHub operator to deploy a database.
• Create a deployment, service, and route for a web application.
• Troubleshoot an application using events and logs.

  1. Log in to the OpenShift web console as the admin user.

  2. Add htpasswd entries to the localusers secret for users named dba and tester usingredhat as the password.

  3. Create a new app-team group that contains the developer and dba users.

  4. Create a new console-review project with a view role binding for the tester user andan edit role binding for the app-team group. Set a resource quota that limits the project tothree pods.

  5. Install the Certified CockroachDB operator for use in all namespaces.

  6. Create a RoleBinding that allows the dba user to view resources in the openshift-operators project.

  7. As the dba user, deploy a CockroachDB database instance into the console-reviewproject using the OpenShift web console. This will bring the project’s total pod count tothree.

  8. As the developer user, create a deployment, service, and route in the console-review project with issues that you will troubleshoot in the next step. Use the quay.io/redhattraining/exoplanets:v1.0 image, and name all of the new resources

Install, Manage, and Troubleshoot anOpenShift Cluster

• Create a new project.
• Perform a smoke test of the OpenShift cluster by creating an application using thesource-to-image process.
• Create applications using either deployment or deploymentconfig resources.
• Use the HTPasswd identity provider for managing users.
• Create and manage groups.
• Manage RBAC and SCC for users and groups.
• Manage secrets for databases and applications.
• Troubleshoot common problems.

  1. As the kubeadmin user, create the comprehensive-review project. The passwordfor the kubeadmin user is located in the /usr/local/etc/ocp4.config file on theRHT_OCP4_KUBEADM_PASSWD line. Perform all subsequent tasks in the comprehensive-review project.

  2. Perform a smoke test of the cluster to verify basic cluster functionality. Use a deploymentconfiguration to create an application named hello-world-nginx. The applicationsource code is located in the hello-world-nginx subdirectory of the https://github.com/RedHatTraining/DO280-apps repository.Create a route for the application using any available hostname in theapps.ocp4.example.com subdomain, and then verify that the application responds toexternal requests.

  3. Configure the cluster to use an HTPasswd identity provider. The name of the identityprovider is cluster-users. The identity provider reads htpasswd credentials stored in thecompreview-users secret.Ensure that four user accounts exist: admin, leader, developer, and qa-engineer. Alluser accounts must use review as the password.Add the cluster-admin role to the admin user.

  4. As the admin user, create three user groups: leaders, developers, and qa.Assign the leader user to the leaders group, the developer user to the developersgroup, and the qa-engineer user to the qa group.Assign roles to each group:
    • Assign the self-provisioner role to the leaders group, which allows membersto create projects. For this role to be effective, you must also remove the ability of anyauthenticated user to create new projects.
    • Assign the edit role to the developers group for the comprehensive-review projectonly, which allows members to create and delete project resources.
    • Assign the view role to the qa group for the comprehensive-review project only,which provides members with read access to project resources.

  5. As the developer user, use a deployment to create an application named mysqlin the comprehensive-review project. Use the container image available atregistry.access.redhat.com/rhscl/mysql-57-rhel7:5.7. This applicationprovides a shared database service for other project applications.Create a generic secret named mysql using password as the key and r3dh4t123 as thevalue.Set the MYSQL_ROOT_PASSWORD environment variable to the value of the password key inthe mysql secret.

  6. As the developer user, use a deployment to create an application named wordpress.Create the application in the comprehensive-review project. Use the image available atdocker.io/library/wordpress:5.3.0.Configure the WORDPRESS_DB_HOST environment variable to have a value of mysql. Theapplication uses this variable to connect the mysql database service provided by the mysqlapplication.Configure the WORDPRESS_DB_NAME environment variable to have a value of wordpress.The application uses this variable to identify the name of the database. If the database doesnot exist on the database server, then the application attempts to create a new database withthis name.Set the WORDPRESS_DB_USER environment variable to have a value of root. Set theWORDPRESS_DB_PASSWORD environment variable to the value of the password key in the mysql secret. The value of the WORDPRESS_DB_PASSWORD environment variable must bethe same as the mysql root user password.The wordpress application also requires the anyuid security context constraint. Createa service account named wordpress-sa, and then assign the anyuid security contextconstraint to it. Configure the wordpress deployment to use the wordpress-sa serviceaccount.Create a route for the application using any available hostname in theapps.ocp4.example.com subdomain. If you correctly deploy the application, then aninstallation wizard displays when you access the application from a browser.

  7. As the developer user, deploy the famous-quotes application in the comprehensive-review project using the ~/DO280/labs/comprehensive-review/deploy_famous-quotes.sh script. This script creates the defaultdb database and the resources defined inthe ~/DO280/labs/comprehensive-review/famous-quotes.yaml file.The application pods do not initially deploy after you execute the script. The famous-quotes deployment configuration specifies a node selector, and there are no cluster nodeswith a matching node label.Remove the node selector from the deployment configuration, which enables OpenShift toschedule application pods on any available node.Create a route for the famous-quotes application using any available hostname in theapps.ocp4.example.com subdomain, and then verify that the application responds toexternal requests.

Print Friendly, PDF & Email