Installing for OpenShift Container Platform with Gluster¶

Prerequisites¶

Before installing Kubesafe, you need the following:

A working OpenShift Container Platform 3.x cluster running with access to AWS S3, SNS, and SQS services. Make sure you have access to configuration details about the S3 bucket, including
- AWS access key
- AWS private key
- AWS region
A storage class which is capable of provisioning Gluster volumes.
The helm command version 3. Helm installs and updates Kubernetes applications, including Kubesafe. See the Helm documentation for details.
The oc command.
An email address registered with Kubesafe. To register, visit kubesafe.io/signup. This is the email address you’ll use when logging in to the Kubesafe software you install.

Creating an S3 bucket¶

Kubesafe needs an Amazon S3 bucket to hold its configuration information. Create an S3 bucket in the AWS console, or using the aws CLI:

aws s3api create-bucket --bucket name-you-pick --region us-west-2 \
   --create-bucket-configuration LocationConstraint=us-west-2

Make a note of the bucket name you use, as you will enter that name when you configure Kubesafe. Specify whichever AWS region makes sense for your deployment.

Configuring AWS permissions¶

When configuring Kubesafe, you will need your AWS account ID. To find this ID, log in to the AWS console and select “My Security Credentials” from the pulldown in the top menu bar. The account ID is displayed there.

Ensure that your user account and the cluster node roles have at least the following AWS permissions:

AmazonSQSFullAccess
IAMFullAccess
AmazonS3FullAccess
AmazonVPCFullAccess
AmazonSNSFullAccess

Downloading Kubesafe software¶

Download the latest version of Kubesafe software from download.kubesafe.io.

Deploying Kubesafe software¶

Use helm and oc to install the Kubesafe software in each cluster you’re managing.

Before continuing, ensure that your kubectl context is pointing to the cluster you want to configure with Kubesafe software. Refer to the Kubernetes task documentation for details.

mkdir /tmp/kubesafe
cd /tmp/kubesafe
tar -xzf kubesafe_v2.0.3.tar.gz

After extracting the downloaded tar file, change into the helm directory:

cd helm

This directory contains the Kubesafe helm chart.

Customizing the deployment (optional)¶

You might need to customize the kubesafe/values.yaml for your installation:

If you have your own Amazon Cognito authentication service, specify the configuration details for your identity provider.
Kubesafe services normally create their own self-signed SSL certificates for HTTPS. If you have your own SSL certificates, specify the keyFile, certFile, caCert, pemFile.

Installing Kubesafe services¶

For OpenShift Container Platform 3.x, update the kubesafe/values.yaml file:

Replace instances of gp2 with glusterfs-storage (or whatever Kubernetes StorageClass you have defined for Gluster).

In the apiserver section, change the tag for quay.io.kubesafe.io/api to ocs:

image:
  repository: quay.io/kubesafe.io/api
  pullPolicy: IfNotPresent
  tag: ocs

Set the openshift.enable: “true” flag:
```
openshift:
  enable: "true"
```
If your OpenShift Container Platform is running on premises, change these settings:
```
onprem.enabled = "true"
ui.service.type = "NodePort"
```

After making these changes, generate and apply the configuration:

oc new-project kubesafe
helm template  <release-name> kubesafe > ocs.yaml
oc create -f ocs.yaml

The output shows something like this:

$ oc create -f ocs.yaml
secret/kubesafe-api-secrets created
secret/kubesafe-db created
secret/kubesafe-db-certs created
secret/kubesafe-api-certs created
secret/kubesafe-ui-certs created
persistentvolumeclaim/kubesafe-api-pvc created
persistentvolumeclaim/kubesafe-db-pvc created
clusterrole.rbac.authorization.k8s.io/kubesafe-api-runner created
clusterrolebinding.rbac.authorization.k8s.io/run-kubesafe-api created
service/kubesafe-api created
service/kubesafe-db created
service/kubesafe-ui-cache created
service/kubesafe-ui created
deployment.apps/kubesafe-api created
deployment.apps/kubesafe-db created
deployment.apps/kubesafe-ui created
securitycontextconstraints.security.openshift.io/kubesafe created

Launching the Kubesafe UI¶

You access the Kubesafe UI through the name and port number assigned to the kubesafe-ui service.

$ kubectl get svc kubesafe-ui -n kubesafe
NAME          TYPE           CLUSTER-IP      EXTERNAL-IP                             PORT(S)          AGE
kubesafe-ui   LoadBalancer   100.65.65.216   a24a-19739.us-west-2.elb.amazonaws.com  8080:31321/TCP   3m54s

In this example, Kubesafe is available at https://100.65.65.216:8080 or https://a24a-19739.us-west-2.elb.amazonaws.com:8080.

Log in using the email address and password you registered with kubesafe.io/signup.

The first time you log in you will be prompted to upload the storage configuration file for both the local and remote clusters. If you want to save data in an S3 store, you also have to upload the S3 storage configuration. See the sections below for details on how to create the needed configuration files.

Cleaning up a failed installation¶

If the deployment is unsuccessful, you might need to clean up the namespace containing Kubesafe to try again. If so, use this command:

kubectl delete namespace kubesafe
oc delete scc kubesafe
oc delete clusterrole kubesafe-api-runner
oc delete clusterrolebindings run-kubesafe-api

Customizing the cluster configuration¶

To configure Kubesafe software, create and upload into Kubesafe a configuration file for each of the clusters in your environment. The storage-config-samples directory contains several examples.

The configuration files have the following fields:

ks_cluster_id	Unique identifier for this cluster. This will appear in the UI as the name of this cluster. The identifier must not use these characters: /. “$
ks_ui_url	URL to use for sending API requests within Kubesafe. The format is https://{IP}:8080, where IP is the external IP address displayed in output of kubectl get svc kubesafe-ui -n kubesafe.
awsElasticBlockStore.name	Use any name to identify the EBS service used for provisioning storage for Kubesafe.
metadata_backup_config.s3.name	Name of the S3 bucket you have created in AWS to store Kubesafe metadata. No more than two Kubesafe installations can share the same S3 metadata bucket.
primarynode	IP address of one of the Gluster Pods in your cluster.
resturl	URL of the Heketi server RESTful management interface.
restuser	Username for logging in to Heketi.
restuserkey	Password to use when logging in to Heketi.
accesskey	AWS access key ID for your S3 and SNS services.
privatekey	AWS secret access key for your S3 and SNS services.
ownerid	AWS account ID. To find this ID, log in to the AWS console and select “My Security Credentials” from the pulldown in the top menu bar.

Example Configuration

As with all Kubernetes YAML specifications, the files are sensitive to the indentation of each line. Change the fields below to reflect the values for your environment.

$ cat clusterone.yaml
version: 1
ks_cluster_id: prod-cluster
ks_api_url: http://127.0.0.1:8000/kubesafe/v1
ks_ui_url: https://a795a20aeaa1b4c789aa8660example-2073642121.us-west-2.elb.amazonaws.com:8080
storage_vendor_config:
  glusterfs:
    - name: gluster-store
      site_info:
        glusterfs:
          primarynode: "10.70.53.216"
          resturl: "http://heketi-storage.glusterfs.svc:8080"
          restuser: "admin"
          restuserkey: "adminkey"
metadata_backup_config:
  s3:
    - name: metadata-example-com
      site_info:
        clusteraz: "us-west-2a"
        clusterregion: "us-west-2"
        secret:
          accesskey: AKIAIOSFODNN7EXAMPLE
          privatekey: wJalrXUtnFEMI/K7MDENG/bPxRfiCYExample
        aws:
          ownerid: 0498EXAMPLE
notify_server_config:
  sns:
    - name: kubesafe-notification
      site_info:
        clusteraz: "us-west-2a"
        clusterregion: "us-west-2"
        secret:
          accesskey: AKIAIOSFODNN7EXAMPLE
          privatekey: wJalrXUtnFEMI/K7MDENG/bPxRfiCYExample
        aws:
          ownerid: 0498EXAMPLE

Customizing storage configuration for Amazon S3 backups¶

The example objectstore.yaml file illustrates how to configure an Amazon S3 bucket as a backup location. Use this if you want to store backups in S3 that can be recovered on another cluster.

The metadata_backup_config section will have the same values as your cluster; the data_backup_config section specifies the S3 bucket that will hold backups.

$ cat objectstore.yaml
version: 1
ks_cluster_id: backups
ks_api_url: http://127.0.0.1:8000/kubesafe/v1
ks_ui_url:

data_backup_config:
  s3:
    - name: kubesafe-backups
      site_info:
        clusteraz: "us-west-2a"
        clusterregion: "us-west-2"
        secret:
          accesskey: AKIAIOSFODNN7EXAMPLE
          privatekey: wJalrXUtnFEMI/K7MDENG/bPxRfiCYExample
        aws:
          ownerid: 0498EXAMPLE

metadata_backup_config:
  s3:
    - name: kubesafe-metadata
      site_info:
        clusteraz: "us-west-2a"
        clusterregion: "us-west-2"
        secret:
          accesskey: AKIAIOSFODNN7EXAMPLE
          privatekey: wJalrXUtnFEMI/K7MDENG/bPxRfiCYExample

Uploading Kubesafe configurations¶

When the configuration files are prepared, upload them into Kubesafe from the Configuration tab.

After adding the local cluster configuration, you can add optional remote clusters and optional object stores by clicking the “+” icons on the Configuration page. There are two options for remote clusters and object stores:

Read backups: the local cluster is authorized to clone from backups created on the remote cluster or stored on the remote object store
Write backups: the local cluster is authorized to store backups on the remote cluster or object store

Repeat the steps on any other clusters, making sure to load the correct “local” configuration for each one, and any optional remote configurations.