Hulleman.io

Red Hat ITQ Winterschool - OpenShift Assignment

MVP - Pods and exposing

The MVP will create a Postgres database and pgAdmin application in OpenShift. The pgAdmin application will be exposed to the outside world using a route. No declaritive YAML files will be used, all resources will be created using the oc command line tool.

References:

• Postgres Docker Image
• pgAdmin Docker Image

app-1-dev

Create the project

oc new-project app-1-dev

Start the Postgres database pod

oc run postgres --image=postgres:14.20-trixie --env="POSTGRES_PASSWORD=postgres"

Start the pgAdmin pod

oc run pgadmin --image=elestio/pgadmin:REL-9_12 \
--env="PGADMIN_DEFAULT_EMAIL=info@redhat.com" 
--env="PGADMIN_DEFAULT_PASSWORD=pgadmin" \
--env="PGADMIN_LISTEN_PORT=8080" --port=8080

Expose the pod and create route to pod

oc expose pod pgadmin
oc create route edge --service=pgadmin

Access the application: https://pgadmin-app1-dev.apps.cluster-tqq9g.dynamic.redhatworkshops.io

Note: For this first version we did not connect PGAdmin to the DB.

Day 1 - Deployment and CNPG Operator

• This version is using the CNPG operator to create the Postgres database and use a Deployment for the pgAdmin application. This operator is installed via the GUI.
• The resources are created using the GUI first to get it working, after that we will use the oc command line tool to create the resources and export the YAML files.
• The pgAdmin application is configured to connect to the Postgres database using environment variables and a config file. This is not in scope for the exam.

References:

• CNPG Operator
• pgAdmin Docker Image
• pgAdmin Configuration

Define the Deployment for PGAdmin

Create the configmap for pgAdmin configuration

apiVersion: v1
kind: ConfigMap
metadata:
  name: pgadmin-config
data:
    PGADMIN_DEFAULT_EMAIL: info@redhat.com
    PGADMIN_DEFAULT_PASSWORD: pgadmin
    PGADMIN_LISTEN_PORT: "8080"

Create the configuration file for pgadmin servers

{
  "Servers": {
    "1": {
      "Name": "CNPG AppDB",
      "Group": "Kubernetes",
      "Host": "cluster-app1-dev-rw",
      "Port": 5432,
      "MaintenanceDB": "app",
      "Username": "app",
      "SSLMode": "require",
      "PassFile": "/var/lib/pgadmin/.pgpass"
    }
  }
}

Create the configMap for servers.json

oc create configmap pgadmin-servers --from-file=servers.json

Deploy the pgAdmin application using oc

oc create deployment pgadmin --image=elestio/pgadmin:REL-9_12

Create the service & route for pgAdmin

oc expose pod pgadmin --dry-run=client -o yaml

---
pretty yaml output

Mount the secret as a volume in the pgAdmin deployment

oc set volume deployment/pgadmin --add \
--name=pgadmin-config \
--type=secret \
--secret-name=pgadmin-config

Note: This documentation is not finished yet, although the first version is working. The full deployment file can be found at /data/deployment.yaml

Day 2 - Securing the deployment

Role Based Access Control (RBAC)

First create the groups and add some dummy user:

groups:

• app1-devs
  • full deployment rights in development: admin role
  • read only in production: cluster-reader role
• app1-ops
  • deploy and ops rights in production: admin role
  • manage routes, secrets and policies in production: create yourself

For the last role in the above overview, we need to create a custom role:

• routes: get, list, watch, create, update, patch, delete
• secrets: get, list, watch, create, update, patch, delete
• policies: get, list, watch, create, update, patch, delete

Secure ingress route

mtls -> reecrypt pgadmin 8080 -> 443 annotations for tls certificates on service mount certificate on pgadmin pod

We need to delete the existing PGAdmin route to reencrypt and create a new one:

oc delete route pgadmin
oc create route reencrypt --service=pgadmin --port=443

Patch the PGAdmin deployment to listen on port 443. Patching the port using the cli is difficult, we changed the deployment file and applied the changes using oc apply -f deployment.yaml

  ports:
  - containerPort: 443
    name: https
    protocol: TCP

Add the environment variable for PGAdmin to enble TLS

oc set env deployment/pgadmin PGADMIN_ENABLE_TLS=true

For annotation, you need to remember a string, which you can only find in the documentation by searching for “oc annotate service tls”: https://docs.redhat.com/en/documentation/openshift_container_platform/4.21/html/security_and_compliance/configuring-certificates#add-service-certificate_service-serving-certificate

oc annotate service pgadmin \
service.beta.openshift.io/serving-cert-secret-name=pgadmin-tls-secret

Set the environment variables for the cert files

oc set env deployment/pgadmin \
PGADMIN_SSL_KEY_FILE=/certs/tls.key \
PGADMIN_SSL_CERT_FILE=/certs/tls.crt

Update the deployment to use the volume for the TLS secret.

oc set volume deployment/pgadmin --add \
--name=pgadmin-tls-secret \
--type=secret \
--secret-name=pgadmin-tls-secret
--mount-path=/certs

The environmnent variable for the cert and key file is not working in PGAdmin. We changed the secret and added the path to the deployment:

- name: pgadmin-tls-secret
  secret:
    defaultMode: 420
    items:
    - key: tls.crt
      path: server.cert
    - key: tls.key
      path: server.key
    secretName: pgadmin-tls-secret

• create empty configmap with annotation to auto fill the configmap with servering cert ca data service.beta.openshift.io/inject-cabundle=true https://docs.redhat.com/en/documentation/openshift_container_platform/4.9/html/security_and_compliance/configuring-certificates

• in the route add the annotation to use the ca from the configmap to trust the certificate on the service/pod route.openshift.io/destination-ca-certificate-configmap: service-ca-bundle