Red Hat OpenShift
Obtaining an OpenShift Container Platform Management Token
When deploying OpenShift using openshift-ansible-3.0.20
(or later
versions), the OpenShift Container Platform service account
and roles required by ManageIQ are installed by default.
For newer versions of OpenShift you have to create a service-account with the proper permissions for ManageIQ.
- Create a namespace for the service account
project_name="management-manageiq" # Pick a name for your project oc adm new-project $project_name --description="ManageIQ Project"
- Create a service account in that project
service_account_name="management-admin" oc create serviceaccount $service_account_name -n $project_name
- Create the cluster role
echo '{"apiVersion": "v1", "kind": "ClusterRole", "metadata": {"name": "management-manageiq-admin"}, "rules": [{"resources": ["pods/proxy"], "verbs": ["*"]}]}' | oc create -f -
- Apply roles and policies to the service account
oc policy add-role-to-user -n $project_name admin -z $service_account_name oc policy add-role-to-user -n $project_name management-manageiq-admin -z $service_account_name oc adm policy add-cluster-role-to-user cluster-reader system:serviceaccount:$project_name:$service_account_name oc adm policy add-scc-to-user privileged system:serviceaccount:$project_name:$service_account_name oc adm policy add-cluster-role-to-user self-provisioner system:serviceaccount:$project_name:$service_account_name
Note:
See the OpenShift Container Platform documentation for a list of the default roles.
Run the following to obtain the token needed to add an OpenShift Container Platform provider:
# oc sa get-token -n $project_name $service_account_name
eyJhbGciOiJSUzI1NiI...
Adding an OpenShift Container Platform Provider
After initial installation and creation of a ManageIQ environment, add an OpenShift Container Platform provider using the token obtained in Obtaining an OpenShift Container Platform Management Token and following the procedure below.
-
Browse to menu: Compute > Containers > Providers.
-
Click Configuration, then click (Add a New Containers Provider).
-
Enter a Name for the provider.
-
From the Type list, select OpenShift Container Platform.
-
Enter the appropriate Zone for the provider. If you do not specify a zone, it is set to
default
. -
In the Default tab, configure the following for the OpenShift provider:
-
Select a Security Protocol method to specify how to authenticate the provider:
-
SSL: Authenticate the provider securely using a trusted Certificate Authority. Select this option if the provider has a valid SSL certificate and it is signed by a trusted Certificate Authority. No further configuration is required for this option.
-
SSL trusting custom CA: Authenticate the provider with a self-signed certificate. For this option, copy your provider’s CA certificate to the Trusted CA Certificates box in PEM format.
Note:
You can obtain your OpenShift Container Platform provider’s CA certificate for all endpoints (default, metrics, alerts) from
/etc/origin/master/ca.crt
. Paste the output (a block of text starting with-----BEGIN CERTIFICATE-----
) into the Trusted CA Certificates field. -
SSL without validation: Authenticate the provider insecurely (not recommended).
-
-
Enter the Hostname (or IPv4 or IPv6 address) of the provider.
Important:
The Hostname must use a unique fully qualified domain name.
-
Enter the API Port of the provider. The default port is
8443
. -
Enter a token for your provider in the Token box.
Note:
To obtain a token for your provider, run the
oc get secret
command on your provider; see Obtaining an OpenShift Container Platform Management Token.For example:
# oc get secret –namespace management-infra management-admin-token-8ixxs –template=’’ | base64 –decode
-
Click Validate to confirm that ManageIQ can connect to the OpenShift Container Platform provider.
-
-
In the Alerts endpoint tab optionally configure the alerts service:
-
Select a service type, or leave disabled. Prometheus alerts are only supported on OCP v3
-
Select a Security Protocol method to specify how to authenticate the service:
-
SSL: Authenticate the provider securely using a trusted Certificate Authority. Select this option if the provider has a valid SSL certificate and it is signed by a trusted Certificate Authority. No further configuration is required for this option.
-
SSL trusting custom CA: Authenticate the provider with a self-signed certificate. For this option, copy your provider’s CA certificate to the Trusted CA Certificates box in PEM format.
-
SSL without validation: Authenticate the provider insecurely using SSL. (Not recommended)
-
-
Enter the Hostname (or IPv4 or IPv6 address) or alert Route.
-
Enter the API Port if your Prometheus provider uses a non-standard port for access. The default port is
443
. -
Click Validate to confirm that ManageIQ can connect to the alerts service.
-
-
In the Metrics endpoint tab optionally configure the metrics service details:
-
Select a service type (Prometheus or Hawkular) or leave disabled
-
Select a Security Protocol method to specify how to authenticate the service:
-
SSL: Authenticate the provider securely using a trusted Certificate Authority. Select this option if the provider has a valid SSL certificate and it is signed by a trusted Certificate Authority. No further configuration is required for this option.
-
SSL trusting custom CA: Authenticate the provider with a self-signed certificate. For this option, copy your provider’s CA certificate to the Trusted CA Certificates box in PEM format.
Note:
In OpenShift, the default deployment of the router generates certificates during installation, which can be used with the SSL trusting custom CA option. Connecting a Hawkular endpoint with this option requires the CA certificate that the cluster uses for service certificates, which is stored in
/etc/origin/master/service-signer.crt
on the first master in a cluster. -
SSL without validation: Authenticate the provider insecurely using SSL. (Not recommended)
-
-
Enter the Hostname (or IPv4 or IPv6 address) of the metrics service.
In order to find the hostname you can use the
oc get route
command.On OCPv4 you can get the Prometheus route by running:
oc get route prometheus-k8s -n openshift-monitoring
Example:
oc get route prometheus-k8s -n openshift-monitoring NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD prometheus-k8s prometheus-k8s-openshift-monitoring.ocp.example.com prometheus-k8s web reencrypt/Redirect None
In this example you would use
prometheus-k8s-openshift-monitoring.ocp.example.com
as the metrics hostname.On OCPv3 you can get the Hawkular route by running:
oc get route hawkular-metrics -n openshift-infra
Or the Prometheus route:
oc get route prometheus -n openshift-metrics
-
Enter the API Port if your Hawkular or Prometheus provider uses a non-standard port for access. The default port is
443
. -
Click Validate to confirm that ManageIQ can connect to the metrics endpoint.
-
-
In the Virtualization endpoint tab optionally configure the virtualization service details:
-
Select a service type (KubeVirt) or leave disabled
-
Select a Security Protocol method to specify how to authenticate the service:
-
SSL: Authenticate the provider securely using a trusted Certificate Authority. Select this option if the provider has a valid SSL certificate and it is signed by a trusted Certificate Authority. No further configuration is required for this option.
-
SSL trusting custom CA: Authenticate the provider with a self-signed certificate. For this option, copy your provider’s CA certificate to the Trusted CA Certificates box in PEM format.
-
SSL without validation: Authenticate the provider insecurely using SSL. (Not recommended)
-
-
Enter the Hostname (or IPv4 or IPv6 address) of the virtualization service.
-
Enter the API Port of your virtualization service. The default port is
443
. -
Enter a token for your provider in the Token box.
-
-
Click the Advanced tab to add image inspector settings for scanning container images on your provider using OpenSCAP.
Note:
-
These settings control downloading the image inspector container image from the registry and obtaining the Common Vulnerabilities and Exposures (CVE) information (for effective scanning) via a proxy.
-
CVE URL that ManageIQ requires to be open for OpenSCAP scanning: https://www.redhat.com/security/data/metrics/ds/. This information is based on the source code of OpenSCAP.
-
Enter the proxy information for the provider in either HTTP, HTTPS, or NO Proxy depending on your environment.
-
Enter the Image-Inspector Repository information. For example,
openshift3/image-inspector
. -
Enter the Image-Inspector Registry information. For example,
registry.access.redhat.com
. -
Enter the Image-Inspector Tag value. A tag is a mark used to differentiate images in a repository, typically by the application version stored in the image.
-
Enter
https://www.redhat.com/security/data/metrics/ds/
in CVE location.
-
-
Click Add.
Note:
You can also set global default image-inspector settings for all
OpenShift providers in the advanced settings menu by editing the values
under ems_kubernetes
, instead of setting this for each provider.
For example:
:image_inspector_registry: registry.access.redhat.com
:image_inspector_repository: openshift3/image-inspector
Enabling OpenShift Cluster Metrics
Use the OpenShift Cluster Metrics plug-in to collect node, pod, and container metrics into one location. This helps track usage and find common issues.
-
Configure ManageIQ to allow for all three Capacity & Utilization server roles.
-
Enable cluster metrics using the OpenShift Container Platform documentation.