Repository: https://labs.etsi.org/rep/ocf/capif
Wiki: https://labs.etsi.org/rep/groups/ocf/-/wikis/home
Openshift Helm Capif Installation
Unpack this helm.tar, and it will have modified scripts to install OCF on OpenShift.
Navigate to scripts folder
export KUBECONFIG="$HOME/.kube" tar xf helm.tar cd helm/scripts/ ./install_vault.sh sed -i 's/export VAULT_TOKEN=""/export VAULT_TOKEN="root"/' vault-job/vault-job.yaml ./install_capif.sh
Or MANUALLY install the main components:
Install Ingress NGINX with RBAC and ssl-passthrough
############################################################# #################### INSTALL CAPIF NGINX #################### ############################################################# helm upgrade --install ingress-nginx ingress-nginx \ --repo https://kubernetes.github.io/ingress-nginx \ --set rbac.create=true \ --set controller.service.type=NodePort \ --set controller.service.nodePorts.http=32080 \ --set controller.service.nodePorts.https=32443 \ --namespace ingress-nginx --create-namespace \ --set controller.extraArgs."enable-ssl-passthrough=true" \ --kubeconfig $KUBECONFIG
OCF uses Vault to do secret management. There are some particular settings for Openshift:
https://developer.hashicorp.com/vault/tutorials/kubernetes/kubernetes-openshift
############################################################# #################### INSTALL CAPIF VAULT #################### ############################################################# helm $KUBECONFIG upgrade --install vault hashicorp/vault -n ocf-vault \ --set server.ingress.enabled=true \ --set server.ingress.hosts[0].host="vault.testbed.develop" \ --set server.ingress.ingressClassName=nginx \ --set server.standalone.enabled=true --create-namespace \ --set "global.openshift=true" \ --set "server.dev.enabled=true" \ --set "server.image.repository=docker.io/hashicorp/vault" \ --set "injector.image.repository=docker.io/hashicorp/vault-k8s"
Log the vault pod and get the tokens, usually on OpenShift the admin token is root, but the unseal key is generated.
kubectl $KUBECONFIG exec -ti vault-0 -n ocf-vault -- vault operator unseal 19zgCoVzIC4665WfRAD7gJmHTTXtqRfYrltjJ7u77AA=
Manually create PV and PVC
kubectl apply -f - <<EOF
apiVersion: v1
kind: PersistentVolume
metadata:
name: tempo-pv
spec:
capacity:
storage: 2Gi
accessModes:
- ReadWriteOnce
hostPath:
path: "/mnt/data/tempo"
EOF
kubectl apply -f - <<EOF
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: tempo-pvc
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 2Gi
EOF
Set Some Variables:
$CAPIF_NAMESPACE $CAPIF_NAME_VERSION_CHART $HELM_DIR $CAPIF_DOCKER_REGISTRY $CAPIF_IMAGE_TAG $VAULT_PORT $VAULT_ACCESS_TOKEN $VAULT_INTERNAL_HOSTNAME
Install CAPIF
helm $KUBECONFIG upgrade --install -n $CAPIF_NAMESPACE $CAPIF_NAME_VERSION_CHART $HELM_DIR/capif/ \ --set ocf-access-control-policy.image.repository=$CAPIF_DOCKER_REGISTRY/ocf-access-control-policy-api \ --set ocf-access-control-policy.image.tag=$CAPIF_IMAGE_TAG \ --set ocf-access-control-policy.image.env.capifHostname=$CAPIF_HOSTNAME \ --set ocf-access-control-policy.monitoring="true" \ --set ocf-access-control-policy.env.logLevel="DEBUG" \ --set ocf-api-invocation-logs.image.repository=$CAPIF_DOCKER_REGISTRY/ocf-logging-api-invocation-api \ --set ocf-api-invocation-logs.image.tag=$CAPIF_IMAGE_TAG \ --set ocf-api-invocation-logs.env.monitoring="true" \ --set ocf-api-invocation-logs.env.capifHostname=$CAPIF_HOSTNAME \ --set ocf-api-invocation-logs.env.vaultHostname=$VAULT_INTERNAL_HOSTNAME \ --set ocf-api-invocation-logs.env.vaultPort=$VAULT_PORT \ --set ocf-api-invocation-logs.env.vaultAccessToken=$VAULT_ACCESS_TOKEN \ --set ocf-api-invocation-logs.env.logLevel="DEBUG" \ --set ocf-api-invoker-management.image.repository=$CAPIF_DOCKER_REGISTRY/ocf-api-invoker-management-api \ --set ocf-api-invoker-management.image.tag=$CAPIF_IMAGE_TAG \ --set ocf-api-invoker-management.env.monitoring="true" \ --set ocf-api-invoker-management.env.vaultHostname=$VAULT_INTERNAL_HOSTNAME \ --set ocf-api-invoker-management.env.vaultPort=$VAULT_PORT \ --set ocf-api-invoker-management.env.vaultAccessToken=$VAULT_ACCESS_TOKEN \ --set ocf-api-invoker-management.env.logLevel="DEBUG" \ --set ocf-api-provider-management.image.repository=$CAPIF_DOCKER_REGISTRY/ocf-api-provider-management-api \ --set ocf-api-provider-management.image.tag=$CAPIF_IMAGE_TAG \ --set ocf-api-provider-management.env.monitoring="true" \ --set ocf-api-provider-management.env.vaultHostname=$VAULT_INTERNAL_HOSTNAME \ --set ocf-api-provider-management.env.logLevel="DEBUG" \ --set ocf-api-provider-management.env.vaultPort=$VAULT_PORT \ --set ocf-api-provider-management.env.vaultAccessToken=$VAULT_ACCESS_TOKEN \ --set ocf-events.image.repository=$CAPIF_DOCKER_REGISTRY/ocf-events-api \ --set ocf-events.image.tag=$CAPIF_IMAGE_TAG \ --set ocf-events.env.monitoring="true" \ --set ocf-events.env.logLevel="DEBUG" \ --set ocf-routing-info.image.repository=$CAPIF_DOCKER_REGISTRY/ocf-routing-info-api \ --set ocf-routing-info.image.tag=$CAPIF_IMAGE_TAG \ --set ocf-routing-info.env.monitoring="true" \ --set ocf-routing-info.env.logLevel="DEBUG" \ --set ocf-security.image.repository=$CAPIF_DOCKER_REGISTRY/ocf-security-api \ --set ocf-security.image.tag=$CAPIF_IMAGE_TAG \ --set ocf-security.env.monitoring="true" \ --set ocf-security.env.capifHostname=$CAPIF_HOSTNAME \ --set ocf-security.env.vaultHostname=$VAULT_INTERNAL_HOSTNAME \ --set ocf-security.env.vaultPort=$VAULT_PORT \ --set ocf-security.env.vaultAccessToken=$VAULT_ACCESS_TOKEN \ --set ocf-security.env.logLevel="DEBUG" \ --set ocf-register.image.repository=$CAPIF_DOCKER_REGISTRY/register \ --set ocf-register.image.tag=$CAPIF_IMAGE_TAG \ --set ocf-register.env.vaultHostname=$VAULT_INTERNAL_HOSTNAME \ --set ocf-register.env.vaultAccessToken=$VAULT_ACCESS_TOKEN \ --set ocf-register.env.vaultPort=$VAULT_PORT \ --set ocf-register.env.mongoHost=mongo-register \ --set ocf-register.env.mongoPort=27017 \ --set ocf-register.env.capifHostname=$CAPIF_HOSTNAME \ --set ocf-register.ingress.enabled=true \ --set ocf-register.ingress.hosts[0].host=$REGISTER_HOSTNAME \ --set ocf-register.ingress.hosts[0].paths[0].path="/" \ --set ocf-register.ingress.hosts[0].paths[0].pathType="Prefix" \ --set ocf-register.env.logLevel="DEBUG" \ --set ocf-register.extraConfigPod.hostAliases[0].hostnames[0]=$CAPIF_HOSTNAME \ --set ocf-register.extraConfigPod.hostAliases[0].ip=$K8S_IP \ --set ocf-auditing-api-logs.image.repository=$CAPIF_DOCKER_REGISTRY/ocf-auditing-api \ --set ocf-auditing-api-logs.image.tag=$CAPIF_IMAGE_TAG \ --set ocf-auditing-api-logs.env.monitoring="true" \ --set ocf-auditing-api-logs.env.logLevel="DEBUG" \ --set ocf-publish-service-api.image.repository=$CAPIF_DOCKER_REGISTRY/ocf-publish-service-api \ --set ocf-publish-service-api.image.tag=$CAPIF_IMAGE_TAG \ --set ocf-publish-service-api.env.monitoring="true" \ --set ocf-publish-service-api.env.logLevel="DEBUG" \ --set ocf-discover-service-api.image.repository=$CAPIF_DOCKER_REGISTRY/ocf-discover-service-api \ --set ocf-discover-service-api.image.tag=$CAPIF_IMAGE_TAG \ --set ocf-discover-service-api.env.monitoring="true" \ --set ocf-discover-service-api.env.logLevel="DEBUG" \ --set nginx.image.repository=$CAPIF_DOCKER_REGISTRY/nginx \ --set nginx.image.tag=$CAPIF_IMAGE_TAG \ --set nginx.env.capifHostname=$CAPIF_HOSTNAME \ --set nginx.env.vaultHostname=$VAULT_INTERNAL_HOSTNAME \ --set nginx.env.vaultPort=$VAULT_PORT \ --set nginx.env.vaultAccessToken=$VAULT_ACCESS_TOKEN \ --set nginx.ingress.enabled=true \ --set nginx.ingress.hosts[0].host=$CAPIF_HOSTNAME \ --set nginx.ingress.hosts[0].paths[0].path="/" \ --set nginx.ingress.hosts[0].paths[0].pathType="Prefix" \ --set nginx.nginx.env.capifHostname=$CAPIF_HOSTNAME \ --set ingress_ip.oneke="$INGRESS_IP" \ --set nginx.env.logLevel="debug" \ --set ocf-helper.image.repository=$CAPIF_DOCKER_REGISTRY/helper \ --set ocf-helper.image.tag=$CAPIF_IMAGE_TAG \ --set ocf-helper.env.vaultHostname=$VAULT_INTERNAL_HOSTNAME \ --set ocf-helper.env.vaultPort=$VAULT_PORT \ --set ocf-helper.env.vaultAccessToken=$VAULT_ACCESS_TOKEN \ --set ocf-helper.env.capifHostname=$CAPIF_HOSTNAME \ --set ocf-helper.env.logLevel="DEBUG" \ --wait --timeout=10m --create-namespace