/
Realese K: Testing - K8S Etsi OCF Capif

Realese K: Testing - K8S Etsi OCF Capif

Owned by Francesco Davide Lapenta
Last updated: Dec 05, 2024
6 min read

Repository: https://labs.etsi.org/rep/ocf/capif

Wiki: https://labs.etsi.org/rep/groups/ocf/-/wikis/home

Openshift Helm Capif Installation

 

Unpack this helm.tar, and it will have modified scripts to install OCF on OpenShift.
Navigate to scripts folder

export KUBECONFIG="$HOME/.kube" tar xf helm.tar cd helm/scripts/ ./install_vault.sh sed -i 's/export VAULT_TOKEN=""/export VAULT_TOKEN="root"/' vault-job/vault-job.yaml ./install_capif.sh

Or MANUALLY install the main components:
Install Ingress NGINX with RBAC and ssl-passthrough

############################################################# #################### INSTALL CAPIF NGINX #################### ############################################################# helm upgrade --install ingress-nginx ingress-nginx \ --repo https://kubernetes.github.io/ingress-nginx \ --set rbac.create=true \ --set controller.service.type=NodePort \ --set controller.service.nodePorts.http=32080 \ --set controller.service.nodePorts.https=32443 \ --namespace ingress-nginx --create-namespace \ --set controller.extraArgs."enable-ssl-passthrough=true" \ --kubeconfig $KUBECONFIG

OCF uses Vault to do secret management. There are some particular settings for Openshift:
https://developer.hashicorp.com/vault/tutorials/kubernetes/kubernetes-openshift

############################################################# #################### INSTALL CAPIF VAULT #################### ############################################################# helm $KUBECONFIG upgrade --install vault hashicorp/vault -n ocf-vault \ --set server.ingress.enabled=true \ --set server.ingress.hosts[0].host="vault.testbed.develop" \ --set server.ingress.ingressClassName=nginx \ --set server.standalone.enabled=true --create-namespace \ --set "global.openshift=true" \ --set "server.dev.enabled=true" \ --set "server.image.repository=docker.io/hashicorp/vault" \ --set "injector.image.repository=docker.io/hashicorp/vault-k8s"

Log the vault pod and get the tokens, usually on OpenShift the admin token is root, but the unseal key is generated.

Manually create PV and PVC

Set Some Variables:

 

Install CAPIF

Manually Retrieve a Bearer Token

  1. Login as an admin (admin:password123 or encoded “YWRtaW46cGFzc3dvcmQxMjM=“) and retrieve a TOKEN

  2. Use the TOKEN to create a normal user

  3. Get Authorization and ACCESS_TOKEN for the user and the CA_ROOT

  4. Prepare a PROVIDER with keys in body and authenticate with the ACCESS_TOKEN

  5. ONBOARD that PROVIDER

TBD

SME only installation