Wednesday, 23 January 2019

IBM Microclimate on IBM Cloud Private - From Soup to Nuts

As per my previous post: -

W00t, IBM Microclimate running on IBM Cloud Private ...

here's a very quick run-through my build process, having just REDONE FROM START.

It's worth reiterating that the official documentation here: -

https://github.com/IBM/charts/blob/master/stable/ibm-microclimate/README.md

is absolutely the way to go.

My notes are MY notes; YMMV

And, with that caveat, here we go: -

Create Non-Default Name Space

kubectl create namespace microclimate

Export HELM_HOME variable

export HELM_HOME=~/.helm

Configure Kubectl and Helm clients to use new namespaces

cloudctl login -a https://mycluster.icp:8443 -n microclimate --skip-ssl-validation -u admin -p admin

Create a namespace for the Microclimate pipeline

kubectl create namespace microclimate-pipeline-deployments

Create Cluster Image Policy

vi mycip.yaml

apiVersion: securityenforcement.admission.cloud.ibm.com/v1beta1
kind: ClusterImagePolicy
metadata:
  name: microclimate-cluster-image-policy
spec:
  repositories:
  - name: mycluster.icp:8500/*
  - name: docker.io/maven:*
  - name: docker.io/jenkins/*
  - name: docker.io/docker:*

kubectl apply -f mycip.yaml

Create Docker Registry Secret

- From Microclimate to Docker
- Used to push newly created applications to internal Docker registry

kubectl create secret docker-registry microclimate-registry-secret \
  --docker-server=mycluster.icp:8500 \
  --docker-username=admin \
  --docker-password=admin

Create Generic Secret

- From Microclimate to Helm

kubectl create secret generic microclimate-helm-secret --from-file=cert.pem=$HELM_HOME/cert.pem --from-file=ca.pem=$HELM_HOME/ca.pem --from-file=key.pem=$HELM_HOME/key.pem

Create Docker Regisry Secret

- From Microclimate to Pipeline

kubectl create secret docker-registry microclimate-pipeline-secret \
  --docker-server=mycluster.icp:8500 \
  --docker-username=admin \
  --docker-password=admin \
  --namespace=microclimate-pipeline-deployments

Validate default Service Account

kubectl describe serviceaccount default --namespace microclimate-pipeline-deployments

Add microclimate-pipeline-secret to default Service Account

kubectl patch serviceaccount default --namespace microclimate-pipeline-deployments -p "{\"imagePullSecrets\": [{\"name\": \"microclimate-pipeline-secret\"}]}"

Retrieve Cluster Proxy Address

kubectl get configmaps ibmcloud-cluster-info -n kube-public -o jsonpath='{.data.proxy_address}'

10.51.4.87

kubectl get nodes -l proxy=true

NAME         STATUS    ROLES     AGE       VERSION
10.51.4.87   Ready     proxy     13d       v1.11.3+icp-ee

Note that my Proxy node has a private 10.X.X.X IP address, and thus I cannot use this for the Microclimate Ingress; instead, I'll use the ICP dashboard ( Management/Master node ) address, which is public ( to me ).

This is further explained in the README.md: -

If the name of this node is an IP address, you can test that this IP is usable as an ingress domain by navigating to https://. If you receive a default backend - 404 error, then this IP is externally accessible and should be used as the global.ingressDomain value. If you cannot reach this address, copy the IP address that you use to access the IBM Cloud Private dashboard. Use the copied address to set the global.ingressDomain value.

Create Persistent Volumes / Persistent Volume Claims

- Note that I'm using YAML to create the Persistent Volumes and the corresponding Claims
- In my case, the PVs are actually "pointing" to NFS volumes, exported from my Boot node

kubectl apply -f createMC_PV1.yaml
kubectl apply -f createMC_PV2.yaml
kubectl apply -f createMC_PVC1.yaml
kubectl apply -f createMC_PVC2.yaml

Add IBM Helm charts repo

helm repo add ibm-charts https://raw.githubusercontent.com/IBM/charts/master/repo/stable/

Install Microclimate Helm chart

helm install --name microclimate --namespace microclimate --set global.rbac.serviceAccountName=micro-sa,jenkins.rbac.serviceAccountName=pipeline-sa,global.ingressDomain=9.20.193.177.nip.io,persistence.useDynamicProvisioning=false,persistence.size=8Gi,jenkins.Persistence.ExistingClaim=microclimate-jenkins,persistence.existingClaimName=microclimate-ibm-microclimate ibm-charts/ibm-microclimate --tls

...
1. Access the Microclimate portal at the following URL: https://microclimate.9.20.193.177.nip.io

Target namespace set to: microclimate-pipeline-deployments, please verify this exists before creating pipelines
...

Validate Microclimate pods

kubectl get pods -n microclimate

...
NAME                                                    READY     STATUS    RESTARTS   AGE
microclimate-ibm-microclimate-65f559cf48-ml587          1/1       Running   0          2m
microclimate-ibm-microclimate-atrium-5c7dc4d4f9-7hnv7   1/1       Running   0          2m
microclimate-ibm-microclimate-devops-7b7dd69655-g8pjv   0/1       Running   0          2m
microclimate-jenkins-64c7446647-glrpr                   1/1       Running   0          2m
...

Valiate Ingress Points

kubectl get ing

...
NAME                            HOSTS                              ADDRESS      PORTS     AGE
microclimate-ibm-microclimate   microclimate.9.20.193.177.nip.io   10.51.4.87   80, 443   3m
microclimate-jenkins            jenkins.9.20.193.177.nip.io        10.51.4.87   80, 443   3m
...

Validate Helm chart

helm list --tls --namespace microclimate

...
NAME         REVISION UPDATED                 STATUS   CHART                   NAMESPACE
microclimate 1       Wed Jan 23 14:14:45 2019 DEPLOYED ibm-microclimate-1.10.0 microclimate
...

helm status microclimate --tls

...
LAST DEPLOYED: Wed Jan 23 14:14:45 2019
NAMESPACE: microclimate
STATUS: DEPLOYED
...

Access MC UI

- Note that this uses the NIP.IO service

...
 NIP.IO maps ..nip.io to the corresponding , even 127.0.0.1.nip.io maps to 127.0.0.1 
...

https://microclimate.9.20.193.177.nip.io

Login as admin/admin

Attempt create a new project - I chose Java / Lagom as per this: -

Create and deploy Lagom Reactive applications with Microclimate

Finally, if it helps, the File Watcher pod can be monitored, via a command such as this: -

kubectl logs -f `kubectl get pods -n microclimate | grep -i watcher | awk '{print $1}'` -n microclimate

( watch out for the so-called back-tick character, which doesn't always paste well from a browser )


No comments:

Following my previous post: - Security Bulletin: IBM Cloud Kubernetes Service is affected by a privilege escalation vulnerability in runc ...