Skip to main content

ODC-Noord

ODC-Noord provides Kubernetes clusters based on OpenShift.

Components

Not all Haven+ components are deployed:

  • Keycloak: ODC-Noord provides Keyclock out-of-the-box
  • Pinniped: not necessary as you can use OpenShift CLI (oc) in combination with Keycloak to get cluster access.
  • Velero: ODC-Noord provides Velero in the namespace quattro-velero

Connecting to the cluster

  1. install OpenVPN Connect
  2. install the VPN profile you obtained from ODC-Noord
  3. connect with OpenVPN Connect with the password being the password + the OTP combined
  4. login to the Keycloak instance provided by ODC-Noord
  5. login to OpenShift using Keycloak
  6. oc login --server=[Kube API endpoint] --web
  7. the kubeconfig will now be in ~/.kube/config

Security

SecurityContextConstraints

ODC-Noord uses OpenShift which use Security Context Constraints.

For Haven+ we added a few SecurityContextContraints (infrastructure/cluster-resources/overlays/odc-noord/scc.yaml):

  • haven-plus-scc: this SCC allows deploying components with minimal changes.
  • haven-plus-scc-cnpg: this SCC is essential for enabling CloudNative-PG clusters to initialize properly. It ensures that the necessary user and volume permissions are enforced, which prevents the containers from encountering errors such as runc create failed: unable to start container process: exec: \"/controller/manager\": permission denied.

You should probably use a more fine-grained configuration for each component.

For each of these SSC's, we have included a ClusterRole. Additionally, each component is equipped with a ClusterRoleBinding that is associated with its ServiceAccount. In OpenShift, this enables using each component to use the relevant custom SCC's.

Sealed Secrets

ODC-Noord clusters include a dedicated Sealed Secret instance, but this is reserved exclusively for quattro/internal use. For all other workloads, always use the HavenPlus Sealed Secret instance.

Important: After generating any Sealed Secret, you must add the following label: havenplus.commonground.nl/sealed-secrets: "".

Example:

---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
  creationTimestamp: null
  name: s3-credentials
  namespace: loki
  labels:
    havenplus.commonground.nl/sealed-secrets: ""
spec:
  encryptedData:
  ....

Without this label, your Sealed Secret will fail to sync or decrypt.

Flux

For Flux, we followed the official recommendations: https://fluxcd.io/flux/installation/configuration/openshift/

Object Storage

Several components depend on S3 object storage, e.g. Loki. After you have received credentials for your S3-account, you will need to manually create the required buckets. Be aware that ODC-Noord's S3 environment cannot be reached through their VPN-solution, therefore you must launch a pod inside the cluster which is capable to create these buckets.

First create a file named .s3cfg:

cat > .s3cfg <<EOF
[default]
access_key = <received from ODCN>
secret_key = <received from ODCN>
host_base = <received from ODCN>
host_bucket = <received from ODCN>
use_https = True
EOF

Generate a secret based on the above in the quattro-debug namespace:

kubectl -n quattro-debug create secret generic s3config --from-file .s3cfg --dry-run=client -oyaml

Use the following manifest to launch an s3cmd pod inside the quattro-debug namespace:

kubectl -n quattro-debug apply -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
  name: s3cmd
spec:
  containers:
  - name: s3cmd
    image: d3fk/s3cmd:latest
    command: ["/bin/sh", "-c", "sleep 3600"] 
    volumeMounts:
    - name: s3config
      mountPath: /root/
  volumes:
  - name: s3config
    secret:
      secretName: s3config
  restartPolicy: Never
EOF

Exec into the pod:

kubectl -n quattro-debug exec -ti s3cmd -- sh

Now you can create buckets:

s3cmd mb s3://havenplus-temp
s3cmd ls