Deployment on OpenShift with Internet Connection

Owned by Johann Helbling (Unlicensed)
Last updated: Oct 02, 2024 by Rene Beckert
4 min read

Preparation OpenShift Container Platform

Smartfacts creates its own ServiceAccounts during the deployment. The additional ServiceAccounts are restricted.

The default is OpenShift SCC.

The SCC nonroot as well nonroot-v2 must be added to the folowing ServiceAccounts:

  • smartfacts

  • smartfacts-certtool

  • smartfacts-mongodb

  • genoslc-codebeamer-certtool

  • genoslc-codebeamer-mongodb

oc adm policy add-scc-to-user nonroot-v2 -z smartfacts -n smartfacts oc adm policy add-scc-to-user nonroot-v2 -z smartfacts-certtool -n smartfacts oc adm policy add-scc-to-user nonroot-v2 -z smartfacts-mongodb -n smartfacts oc adm policy add-scc-to-user nonroot-v2 -z genoslc-codebeamer-certtool -n genoslc-codebeamer oc adm policy add-scc-to-user nonroot-v2 -z genoslc-codebeamer-mongodb -n genoslc-codebeamer

 

Please also check Managing security context constraints | Authentication and authorization | OpenShift Container Platform 4.14

Requirements

  • OpenShift Container Platform 4.1.x or higher

    • Persistent Storage (if supported)

  • Helm 3.x or higher

Prepare Deployment

Add MID repository

You will need a username and password to download the helm chart and containers from MID's repository. You will receive username and password from your MID contact or from cops@mid.de.

helm repo add mid-smartfacts https://repo.secure.mid.de/chartrepo/smartfacts --username <USERNAME> --password <PASSWORD> && helm repo update

Provide Certificates and Key as Base64 String

Prerequisite: The complete certificate chain is in a file as base64-encoded x509 certificates. The certificates are contained in the file in the correct order (server certificate at the top, root certificate at the bottom). See Section “Certificates” above in this article.

Save certificate chain as a base64 string:

cat <your certificate chain.crt> | base64 -w0 > chain.crt.base64

Save certificate key as base64 string:

Customize values.yaml and group_rules.yaml

  • Change to your user's home directory on the server and create a new text file values.yaml with the following content:

 

  • Replace

    • the value of the domain property with your domain name.

    • the value of the repologin property with the value provided from MID.

    • the placeholder of the crtFullChain property with the content of the file chain.crt.base64.

    • the placeholder of the key property with the content of the key.base64 file.

    • the placeholder for the externalUrls property with the URL of your Jama or Codebeamer instance. If you connect multiple instance delement the URLs with a space.

    • the placeholder in authorizationUri, tokenUri and userInfoUri with the appropriate URLs of your identity provider instance

    • the placeholder administrator1 with the name of the user who should be allowed to configure the OSLC Connector. In PoC installations with Keycloak this user is called “acm”.

    • the placeholder user id of OpenShift project with the user id associated with your OpenShift project.

  • Save the values.yaml file.

groups_rules.yaml content

 

Save it as groups_rules.yaml in deployment folder.

 

Install Smartfacts

Execute the Installation

Enter the following command to execute the Installation:

Watch Deployment (in a new Session)

Open a second session on the server and enter the following command:

As soon as all deployments are available, the installation is ready.

 

Troubleshooting

For general OpenShift troubleshooting you can consult the CLI commands reference.

Detect running containers

Show log of specific container

Clean up

 

Additional todos

  • Create custom SCC policy to allow the newly created namespace to use the SCC “nonroot/nonroot-v2”.