Install Openshift 4 di GCP

Berikut cara install Openshift 4.4 di Google Cloud Platfrom

1. Initial setup untuk gcloud

$ gcloud init

$ gcloud config list
[compute]
region = us-central1
zone = us-central1-a
[core]
account = sample@example.com
disable_usage_reporting = True
project = [PROJECT_NAME]

2. Enable beberapa API yang dibutuhkan

$ gcloud services enable compute.googleapis.com --project [PROJECT_NAME]
$ gcloud services enable cloudapis.googleapis.com --project [PROJECT_NAME]
$ gcloud services enable cloudresourcemanager.googleapis.com --project [PROJECT_NAME]
$ gcloud services enable dns.googleapis.com --project [PROJECT_NAME]
$ gcloud services enable iamcredentials.googleapis.com --project [PROJECT_NAME]
$ gcloud services enable iam.googleapis.com --project [PROJECT_NAME]
$ gcloud services enable servicemanagement.googleapis.com --project [PROJECT_NAME]
$ gcloud services enable serviceusage.googleapis.com --project [PROJECT_NAME]
$ gcloud services enable storage-api.googleapis.com --project [PROJECT_NAME]
$ gcloud services enable storage-component.googleapis.com --project [PROJECT_NAME]

3. Buat service account dan assign rolenya

$ gcloud iam service-accounts create openshift-sa \
--description="sa-for-openshift" \
--display-name="openshift-sa"

$ gcloud iam service-accounts keys create ~/.gcp/osServiceAccount.json \
--iam-account openshift-sa@[PROJECT_NAME].iam.gserviceaccount.com

$ gcloud projects add-iam-policy-binding [PROJECT_NAME] \
--member "serviceAccount:openshift-sa@[PROJECT_NAME].iam.gserviceaccount.com" --role "roles/owner"

5. Download openshift-install dan pull-secret dari link berikut

https://cloud.redhat.com/openshift/install/gcp/installer-provisioned

6. Deploy

$ tar -xvf openshift-install-linux.tar.gz
$ mkdir ocp4
$ cp pull-secret.txt ocp4/
$ ./openshift-install create install-config --dir=./ocp4/
$ ./openshift-install create cluster --dir=./ocp4/ --log-level=info
INFO Credentials loaded from file "~/.gcp/osServiceAccount.json"
INFO Consuming Install Config from target directory
INFO Creating infrastructure resources...
INFO Waiting up to 20m0s for the Kubernetes API at https://api.[CLUSTER_NAME].[FQDN]:6443...
INFO API v1.17.1+912792b up
INFO Waiting up to 40m0s for bootstrapping to complete...
INFO Destroying the bootstrap resources...
INFO Waiting up to 30m0s for the cluster at https://api.[CLUSTER_NAME].[FQDN]:6443 to initialize...
INFO Waiting up to 10m0s for the openshift-console route to be created...
INFO Install complete!
INFO To access the cluster as the system:admin user when using 'oc', run 'export KUBECONFIG=~/ocp4/auth/kubeconfig'
INFO Access the OpenShift web-console here: https://console-openshift-console.apps.[CLUSTER_NAME].[FQDN] 
INFO Login to the console with user: kubeadmin, password: [PASSWORD]

Done

Harbor Installation & Configuration

Preparation

# mkdir /workspace
# cd /workspace
# wget https://github.com/goharbor/harbor/releases/download/v1.10.1/harbor-offline-installer-v1.10.1.tgz
# tar -xvf harbor-offline-installer-v1.10.1.tgz
# cd harbor

# vi harbor.yml

hostname: 192.168.65.141 <- Ubah sesuai dengan IP Harbor.
  http:
    port: 80
  https:
    port: 443
    certificate: /data/cert/example.com.crt
    private_key: /data/cert/example.com.key

Crete SSL self-sign certificates

# openssl genrsa -out ca.key 4096

# openssl req -x509 -new -nodes -sha512 -days 3650 \
   -subj "/C=CN/ST=Jakarta/L=Jakarta/O=example/OU=Personal/CN=example.com" \
   -key ca.key \
   -out ca.crt

# openssl genrsa -out example.com.key 4096

# openssl req -sha512 -new \
   -subj "/C=CN/ST=Jakarta/L=Jakarta/O=example/OU=Personal/CN=example.com" \
   -key example.com.key \
   -out example.com.csr

# cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1=example.com
DNS.2=example
DNS.3=harbor
IP.1=192.168.65.141
EOF

# openssl x509 -req -sha512 -days 3650 \
   -extfile v3.ext \
   -CA ca.crt -CAkey ca.key -CAcreateserial \
   -in example.com.csr \
   -out example.com.crt

# mkdir /data/cert/
# cp example.com.crt /data/cert/
# cp example.com.key /data/cert/
# openssl x509 -inform PEM -in example.com.crt -out example.com.cert
# mkdir /etc/docker/certs.d/example.com/
# cp example.com.cert /etc/docker/certs.d/example.com/
# cp example.com.key /etc/docker/certs.d/example.com/
# cp ca.crt /etc/docker/certs.d/example.com/
# cp ca.crt /usr/local/share/ca-certificates/
# update-ca-certificates
# systemctl restart docker

Deploy Harbor

# ./prepare
# docker-compose down -v
# docker-compose up -d

Push Docker images

# docker login example.com
# docker tag mysql:latest example.com/nama_project/mysql:latest
# docker push example.com/nama_project/mysql:latest

Done

Monitoring Jenkins dengan Prometheus dan Grafana

1. Jalankan container jenkins, prometheus dan grafana, dalam tutorial ini semua container ada di dalam satu host.

# docker run -d --name invaleed/jenkins-custom -p 8080:8080 -p 50000:50000 jenkins
# docker run -d --name prometheus -p 9090:9090 prom/prometheus
# docker run -d --name grafana -p 3000:3000 grafana/grafana

2. Install “Prometheus metrics plugin” di Jenkins
3. Periksa hasil instalasi plugin dengan mengakses http://JENKINS_HOST:PORT/prometheus
4. Ubah konfigurasi prometheus dengan menambahakan konfigurasi berikut di bagian paling bawah pada berkas prometheus.yml

# docker exec -it prometheus /bin/sh
# vi /etc/prometheus/prometheus.yml

- job_name: 'jenkins'
  metrics_path: /prometheus
  static_configs:
    - targets: ['JENKINS_HOST:PORT']

# docker restart prometheus

5. Login ke grafana http://GRAFANA_HOST:PORT/ menggunakan username admin/admin
6. Dashboard — Add Datastore — pilih Prometheus, masukkan url “PROMETHEUS_HOST:PORT”, save & test.
7. Dashboard — Import Dashboard — Masukkan ID 9964
8. Done

Howto Create Scalabale Jenkins

Deploy jenkins deployment file, please refer to this link.

# kubectl create -f jenkins-deployment.yaml
# kubectl create -f jenkins-service.yaml
# kubectl create -f jenkins-ingress.yaml

Create a service account

# kubectl -n default create sa jenkins

Gives cluster-admin permissions to the new account

# kubectl create clusterrolebinding jenkins --clusterrole cluster-admin --serviceaccount=default:jenkins

Retrieves the secret

# kubectl get -n default sa/jenkins --template='{{range .secrets}}{{ .name }} {{end}}' | xargs -n 1 kubectl -n default get secret --template='{{ if .data.token }}{{ .data.token }}{{end}}' | head -n 1 | base64 -d -

Copy the whole content printed at the console and go to Jenkins > Credentials > System > Global credentials > Add Credentials, change the Kind drop-down options to Secret text and past into Secret, create with name “jenkins-sa”.

Configure Jenkins

# Kubernetes
Name : kubernetes
Kubernetes URL : ["kubectl cluster-info | grep master"]
Credentials : jenkins-sa
Jenkins URL : ["kubectl describe pod jenkins-xxx | grep IP:"]

# Pod Template
Name : jenkins-slave
Namespace : default
Labels : jenkins-slave

# Container Template
Name : jenkins-slave
Docker image : jenkins/jnlp-slave

Lets the others to be default

Create jenkins job and test!