Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to use the feeipa-operator on a managed kubernetes cluster #57

Open
bioinfornatics opened this issue Jul 11, 2022 · 10 comments
Open

How to use the feeipa-operator on a managed kubernetes cluster #57

bioinfornatics opened this issue Jul 11, 2022 · 10 comments

Comments

@bioinfornatics
Copy link

bioinfornatics commented Jul 11, 2022
edited
Loading

Dear team,
Firstly thanks for your amazing works.
I am looking for a solution to get freeipa inside a kubernetes cluster, and it seems that your works fit our needs.

So, After a look to the Readme, ./devel/install-local-tools.sh and the makefile, it seems that the operator is designed to works with an OpenShift server.

So here my question is it possible to use this operator on a managed (by a cloud provider) kubernetes cluster ?
Thanks for your help.

Ideally a StatefulSets + Operators guide would be awesome.

I wish you a great day.

Jonathan
@bioinfornatics bioinfornatics changed the title How to use the feeipa-operator on a managed kubertes cluster How to use the feeipa-operator on a managed kubernetes cluster Jul 13, 2022
@bioinfornatics
Copy link
Author

bioinfornatics commented Jul 14, 2022
edited
Loading

currently my main issue come from config/certmanager/subscription.yaml

$ minikube kubectl  -- create -f config/certmanager/subscription.yaml
error: resource mapping not found for name: "cert-manager" namespace: "openshift-operators" from "config/certmanager/subscription.yaml": no matches for kind "Subscription" in version "operators.coreos.com/v1alpha1"
ensure CRDs are installed first

@frasertweedale
Copy link
Collaborator

@bioinfornatics g'day. FYI this project is dormant. It may resume at a future time.

@avisiedo do you have any pointers about the cert-manager or docs you can point to?

@bioinfornatics
Copy link
Author

bioinfornatics commented Jul 15, 2022
edited
Loading

@frasertweedale good day :-)
ok I will try to use a standard deployment for freeipa.
Anyway, below some extra command that was needs to do in my side to go further

Add Subcription kind

minikube kubectl -- create -f https://github.com/operator-framework/operator-lifecycle-manager/releases/download/v0.21.2/crd.yaml
minikube kubectl -- create -f https://github.com/operator-framework/operator-lifecycle-manager/releases/download/v0.21.2/olm.yaml
minikube kubectl  -- create -f config/certmanager/subscription.yaml
minikube kubectl -- wait Subscription/cert-manager -n openshift-operators --for=condition=CatalogSourcesUnhealthy=False
minikube kubectl -- create -f config/certmanager/clusterissuer-selfsigned.yaml

use podman instead of docker

diff --git a/Makefile b/Makefile
index b275728..b4db61d 100644
--- a/Makefile
+++ b/Makefile
@@ -51,6 +51,8 @@ else
 GOBIN=$(shell go env GOBIN)
 endif
 
+DOCKER ?= docker
+
 # Setting SHELL to bash allows bash commands to be executed by recipes.
 # This is a requirement for 'setup-envtest.sh' in the test target.
 # Options are set to exit when a recipe line exits non-zero or a piped command fails.
@@ -112,11 +114,11 @@ run: manifests generate fmt vet ## Run a controller from your host (it requires
 
 .PHONY: docker-build
 docker-build:  ## Build docker image with the manager.
-       docker build -t ${IMG} .
+       $(DOCKER) build -t ${IMG} .
 
 .PHONY: docker-push
 docker-push: ## Push docker image with the manager.
-       docker push ${IMG}
+       $(DOCKER) push ${IMG}
 
 ##@ Deployment

which allow to do make docker-build DOCKER=podman
The same idea to allow the use of kubectl instead of oc will be much appreciated

local build

 sudo bash -c '
 GO_VERSION=1.18
 GO_PRIORITY=11800
 GODOC_VERSION="v0.1.11"
 DELVE_VERSION="v1.7.1"
 GOLINT_VERSION="master"
 KUSTOMIZE_VERSION="v3.2.3"
 export GOPATH="/opt/gotool/${GO_VERSION}/"
 export GOBIN="/opt/gotool/${GO_VERSION}/bin/"
 OPERATOR_SDK_VERSION=1.22.1

 dnf install -y golang
 mkdir -p "${GOBIN}"

 curl -Lo${GOBIN}/ansible-operator https://github.com/operator-framework/operator-sdk/releases/download/v${OPERATOR_SDK_VERSION}/ansible-operator_linux_amd64
 curl -Lo${GOBIN}/helm-operator    https://github.com/operator-framework/operator-sdk/releases/download/v${OPERATOR_SDK_VERSION}/helm-operator_linux_amd64
 curl -Lo${GOBIN}/operator-sdk     https://github.com/operator-framework/operator-sdk/releases/download/v${OPERATOR_SDK_VERSION}/operator-sdk_linux_amd64 
 chmod +x /${GOBIN}/*


 go install golang.org/x/exp/typeparams@latest && echo "Installed typeparams"
 go install golang.org/x/tools/cmd/godoc@${GODOC_VERSION} && echo "Installed godoc"
 go install github.com/go-delve/delve/cmd/dlv@${DELVE_VERSION} && echo "Installed dlv"
 go install golang.org/x/lint/golint@${GOLINT_VERSION} && echo "Installed golint"
 go install sigs.k8s.io/kustomize/kustomize/v3@${KUSTOMIZE_VERSION} && echo "Installed kustomize"
 go install sigs.k8s.io/controller-tools/cmd/[email protected] && echo "Installed controller-gen"
 update-alternatives --install /usr/local/bin/dlv               gotool            ${GOBIN}/dlv ${GO_PRIORITY} \
                     --slave   /usr/local/bin/golint            golint            ${GOBIN}/golint \
                     --slave   /usr/local/bin/kustomize         kustomize         ${GOBIN}/kustomize \
                     --slave   /usr/local/bin/controller-gen    controller-gen    ${GOBIN}/controller-gen  \
                     --slave   /usr/local/bin/operator-sdk      operator-sdk      ${GOBIN}/operator-sdk ${OPERATOR_SDK_PRIORITY} \
                     --slave   /usr/local/bin/ansible-operator  ansible-operator  ${GOBIN}/ansible-operator \
                     --slave   /usr/local/bin/helm-operator     helm-operator     ${GOBIN}/helm-operator
'

build controller-gen

GO_VERSION=1.18
 export GOPATH="/opt/gotool/${GO_VERSION}/"
 export GOBIN="/opt/gotool/${GO_VERSION}/bin/"
 make build CONTROLLER_GEN=${GOBIN}/controller-gen

I wish you a good day

@avisiedo
Copy link
Contributor

avisiedo commented Jul 25, 2022
edited
Loading

@bioinfornatics Sorry for the delay, and thank you very much for your issue; the below could simplify olm installation by:

./bin/oprator-sdk olm install

A few additional notes:

  • You will only need to install cert-manager if you deploy the operator by yourself; if you use 'olm', it creates the necessary certificates for the webhooks, so you could avoid the installation (https://olm.operatorframework.io/docs/advanced-tasks/adding-admission-and-conversion-webhooks/#certificate-authority-requirements).
  • The operator creates a Route resource which is controlled in OpenShift clusters, but minikube does not provide a controller for it. The Route make easier to expose the web frontend, by creating the necessary resources. Your kubernetes version would need to translate that Route resource into an Ingress resource.
  • Kubernetes as it is, does not provides the same security mechanisms than OpenShift provides. Kubernetes does not have SecurityContextConstraint (https://docs.openshift.com/container-platform/4.10/authentication/managing-security-context-constraints.html) controller to manage it for instance, so the admission controller for it does not exist (anyway in a future it would be more restricted). OpenShift enables and configure selinux in all the nodes, which provides additional security and isolation for the workloads; just the most immediate that comes to my mind.
  • When running make bundle-install you could need to use the variable WATCH_NAMESPACE pointing out to the current namespace; this is: make bundle-install WATCH_NAMESPACE="my-freeipa". The same to build all the necessary containers by make docker-build docker-push catalog-build catalog-push bundle-build bundle-push WATCH_NAMESPACE="my-freeipa".
  • I have found some situation when running the above in minikube, getting this FATA[0001] Failed to run bundle: create catalog: error creating catalog source: namespaces "my-freeipa" not found that I have not found the way to solve it (the my-freeipa namespace exists, that is the weird thing).

By the way as @frasertweedale said, this project is dormart and It may resume at a future time.

Hope this helps!

@batistein
Copy link

@avisiedo why is the project dormart? And wouldn't it be useful to update then the readme? I just came across this operator and would find it awesome if the development would continue!

@frasertweedale
Copy link
Collaborator

@batistein the reason is the combination of:

  • Higher priorities took over
  • OpenShift platform still lacks important features for running Pod workload securely, isolated both from host and other containers. User namespaces is the main gap, and that is still some way from being delivered in a supportable way in either Kubernetes or OpenShift.

Yes, we should update the README to reflect this :)

@bioinfornatics
Copy link
Author

Thanks @avisiedo @batistein @frasertweedale

@NeverMore93
Copy link

@bioinfornatics May I ask how you finally realized freeipa on k8s? Could you provide some documentation?

@frasertweedale
Copy link
Collaborator

@NeverMore93 we shelved the project. There are blockers in the Kube/OpenShift platform that prevented us running the container in the way we wanted. Never say never (these blockers are gradually being addressed), but since 1 year ago our team is working on other things.

@batistein
Copy link

we moved with authentik https://goauthentik.io/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@bioinfornatics @frasertweedale @avisiedo @NeverMore93 @batistein