Cert-Manager Operator

Deploys the cert-manager Operator along with a sample ClusterIssuer making use of same CA certificate.

Details

ACM Minimal Version: 2.14

Documentation: latest

---

Notes:

• ClusterIssuer is using a self-signed CA file. Production environments should use an appropriate PKI
• Configures cert-manager to include the cluster trusted-ca bundle. This shouldn't hurt if you don't have a ca applied through the cluster-proxy.
• Requires 2.14 to make use of the fail function when there are no deployments to cert-manager namespace.

Introduction

This repository is a personal space to share technical ideas, notes, and experiments. The content reflects my own views and understanding, and should not be taken as the official position of my employer. Please feel free to explore, adapt, and use what is helpful for your own work.

This repository demonstrates how to use RH ACM together with GitOps and PolicyGenerator to enforce policies to selected spoke clusters.

Prerequisites

Before using this repository, make sure you have:

• A running OpenShift cluster with Red Hat ACM installed.
• One spoke clusters already imported into ACM HUB. This repo expects that the spoke cluster to be named prod-cluster.

LAB Architecture

The enviremont has 2 clusters, with the following naming:

• local-cluster: this is the ACM HUB cluster (cluster where ACM is installed)
• prod-cluster: spoke cluster. For placement porpuses will be labeled with environment: prod

Configuration

1. Login to ACM HUB cluster

   oc login -u <user> -p <password> <API_ENDPOINT>

2. Clone Git

   git clone https://github.com/luisevm/acm-gitops-demo
   

3. Install Openshift-Gitops in ACM HUB cluster

   oc create -f bootstrap/gitops/00-namespace.yaml
   oc create -f bootstrap/gitops/10-operatorgroup.yaml
   oc create -f bootstrap/gitops/20-subscription.yaml

   Check that the installation was successful

   oc -n openshift-gitops-operator get csv

4. Give RBAC to allow the user you login with to OpenShift or ArgoCD, to see in ArgoCD the applications created in ACM HUB OpenShift cluster. Replace the user "Admin" with your user.

   oc create -f - <<EOF
   apiVersion: user.openshift.io/v1
   kind: Group
   metadata:
     name: cluster-admins
   users:
   - admin
   EOF

5. Configure ArgoCD instance to use the PolicyGenerator plugin.

   In order for OpenShift GitOps to have access to the policy generator when you run Kustomize, an Init Container is required to copy the policy generator binary from the RHACM Application Subscription container image to the OpenShift GitOps container that runs Kustomize. Additionally, OpenShift GitOps must be configured to provide the --enable-alpha-plugins flag when you run Kustomize.

   Documentation reference link: Integrating the Policy Generator with OpenShift GitOps and chapter.

   a. Find the imageContainer version for your ACM version:

   • Open https://catalog.redhat.com
   • Search by image multicluster-operators-subscription
   • Check the image versions available and select the image name that match your ACM version, in my case ACM version is 2.14 and the correspondent image is: registry.redhat.io/rhacm2/multicluster-operators-subscription-rhel9:v2.14

   b. Patch the ArgoCD adding the following configuration to the existing ArgoCD manifest:

   • Edit the patch file and customize the image name

     #replace the image
     vi bootstrap/gitops/30-argocd-patch.yaml

   • Patch ArgoCD, to configure OpenShift GitOps:

     oc -n openshift-gitops patch argocd openshift-gitops --type=merge --patch-file bootstrap/gitops/30-argocd-patch.yaml

   c. Check that the ArgoCD instance restarts and that is goes running again, pod "openshift-gitops-repo-server"

   oc -n openshift-gitops get pods
   

6. Bootstrap required Objects

   a. Create in ACM HUB the namespace where the Policies and Placement* will be created

   oc create -f bootstrap/clustergroups/00-namespace.yaml
   

   b.Configure the RBAC

   oc create -f bootstrap/clustergroups/10-rbac.yaml
   

   c.

   oc create -f bootstrap/clustergroups/30-mce-mceprod.yaml
   

   d.

   oc create -f bootstrap/clustergroups/31-mce-mcedev.yaml
   

   e.

   oc label managedcluster prod-cluster cluster.open-cluster-management.io/clusterset=mceprod --overwrite
   oc label ManagedCluster prod-cluster environment=prod
   #oc create -f bootstrap/clustergroups/40-mc-mcprod.yaml
   

   f.

   oc label managedcluster dev-cluster cluster.open-cluster-management.io/clusterset=mcedev --overwrite
   oc label ManagedCluster dev-cluster environment=dev
   #oc create -f bootstrap/clustergroups/41-mc-mcdev.yaml 
   

   g.

   oc create -f bootstrap/clustergroups/50-mcsb-mceprod.yaml 
   

   h.

   oc create -f bootstrap/clustergroups/51-mcsb-mcedev.yaml
   

   i.

   #(Required for the RedHat demo platform) - Give admin user the permitions to create policies with the policyGenerator
   cat << EOF | oc apply -f -
   apiVersion: rbac.authorization.k8s.io/v1
   kind: ClusterRoleBinding
   metadata:
     name: open-cluster-management:subscription-admin
   roleRef:
     apiGroup: rbac.authorization.k8s.io
     kind: ClusterRole
     name: open-cluster-management:subscription-admin
   subjects:
   - apiGroup: rbac.authorization.k8s.io
     kind: User
     name: kube:admin
   - apiGroup: rbac.authorization.k8s.io
     kind: User
     name: system:admin
   - apiGroup: rbac.authorization.k8s.io
     kind: User
     name: admin
   EOF

7. Create Application

   a.

   oc create -f app/application2.yml
   

   b. Check that the Aplication was created

   oc -n openshift-gitops get applications.argoproj.io appset-spoke-policies
   

Troubleshoot

Example to troubleshoot the Policy to audit the presence of the OpenShift-Gitops operator.

1. On the ACM HUB cluster

   oc -n acm-policies get policy
   oc -n acm-policies describe policy <...>

   oc -n acm-policies get policy,placement,placementbinding

   #Verify that ApplicationSet was deployed

   oc -n openshift-gitops describe application

   #Verify Applications are created for each policy:

   oc -n openshift-gitops get applications.argoproj.io

   oc -n acm-policies get placement
   oc -n acm-policies describe placement gitops-targets

   oc -n acm-policies get placementdecision

   oc -n acm-policy describe policy <your-policy-name>
   oc -n prod-cluster get policy

2. On the spoke cluster

   #Verify Policy was propagated to the spoke cluster

   oc -n prod-cluster get policy
   oc -n prod-cluster describe policy <...>

   #Look at policy-controller logs on the spoke

   oc -n open-cluster-management-agent-addon get pods | grep governance-policy-framework
   oc -n open-cluster-management-agent-addon logs <policy-framework-pod>

Test that Cert Manager is generating Certificates

1. Login to spoke cluster, named prod-cluster

   oc login -u <user> -p <password> <API_ENDPOINT>
   

2. Create a new project

   oc new-project certificatetest

3. Create a new Certificate

   oc apply -f - <<'EOF'
   apiVersion: cert-manager.io/v1
   kind: Certificate
   metadata:
     name: mycertificate
     namespace: certificatetest
   spec:
     isCA: false
     commonName: "mytest.bry-tam.redhat.com"
     dnsNames:
       - mytest.bry-tam.redhat.com
     usages:
       - server auth
     issuerRef:
       kind: ClusterIssuer
       name: ca-clusterissuer
     secretName: mycertificate-tls
   EOF

4. Check that the Certificate is created

   oc get certificate mycertificate -n certificatetest

5. Check that the Certificate is issued

   oc get certificate mycertificate -n certificatetest

6. Check that the Secret containing the certificate is created

   oc get secret mycertificate-tls -n certificatetest

7. Extract key and check certificate

   oc extract secret/mycertificate-tls -n certificatetest
   openssl x509 -in ca.crt  -text -noout