# OpenShift-Lab

This project is my Ansible Playbook to install OpenShift on my Hetzner server.

## Operating System install

Go to [access.redhat.com](https://access.redhat.com/downloads/content/69/ver=/rhel---7/7.6/x86_64/product-software) and download the boot ISO image of the latest RHEL 7.

Upload this ISO image to any large file transfer such as [send.firefox.com](https://send.firefox.com) or [dl.free.fr](http://dl.free.fr/).

Go to your [Hetzner console](https://robot.your-server.de/server), select your server and book a KVM (**Support** > **Remote Console (KVM)** > **I would like to make an appointment**).
Choose a date, time and duration. For the duration, two hours should be enough.

In the message box, type something like:

```raw
Dear Hetzner Support team,

I would like to install RHEL 7 on my server. Could you please burn the following ISO image on a CD or prepare a USB Key accordingly for me ?

<Put the link to the ISO image here>

Many thanks for your help.

Best regards.
```

Click **Send Request**

At the specified timeframe, you should receive a mail containing the login details to connect to your KVM.

Open the KVM console. This is a Java applet, so make sure there is no security restriction on their execution.

Reboot your server using the **Ctrl+Ald+Delete** button.

When the bios shows up, press **<F11>** to enter the boot menu and boot from the CD or USB Key, according to the Hetzner instructions.

[![Hetzner install](https://img.youtube.com/vi/q-brW2_23Lo/0.jpg)](https://www.youtube.com/watch?v=q-brW2_23Lo)

## Getting a public certificates with Let's encrypt

On the Ansible control node, install [lego](https://github.com/go-acme/lego):

```sh
brew install lego
```

Get a certificate for the wildcard domain as well as the master hostname:

```sh
GANDIV5_API_KEY=[REDACTED] lego -d openshift.itix.fr -d app.itix.fr -d '*.app.itix.fr' -a -m your.email@example.test --path $HOME/.lego --dns gandiv5 run
```

See [this guide](https://github.com/nmasse-itix/OpenShift-Examples/tree/master/Public-Certificates-with-Letsencrypt) for more details.

## Preparation

Register the server on RHN:

```sh
sudo subscription-manager register --name=openshift.itix.fr
sudo subscription-manager refresh
sudo subscription-manager list --available --matches '*Employee SKU*'
sudo subscription-manager attach --pool=8a85f9833e1404a9013e3cddf95a0599
```

Edit `/etc/sysconfig/network-scripts/ifcfg-eno1` and add:

```sh
NM_CONTROLLED="yes"
PEERDNS="yes"
DOMAIN="itix.fr"
```

## OpenShift Install

Create a file named `group_vars/OSEv3`, containing your secrets:

```sh
cat <<EOF > group_vars/OSEv3
---
# Generated on https://access.redhat.com/terms-based-registry/
oreg_auth_password: your.password.here
oreg_auth_user: '123|user-name'

openshift_additional_registry_credentials:
- host: registry.connect.redhat.com
  user: rhn-username
  password: rhn-password
  test_image: sonatype/nexus-repository-manager:latest

# see: https://github.com/nmasse-itix/OpenShift-Examples/tree/master/Login-to-OpenShift-with-your-Google-Account
openshift_master_identity_providers:
- name: RedHat
  login: true
  challenge: false
  kind: GoogleIdentityProvider
  clientID: your.client_id.apps.googleusercontent.com
  clientSecret: your.client_secret.here
  hostedDomain: redhat.com
EOF
```

Create a file named `group_vars/all`, containing your global variables:

```sh
cat <<EOF > group_vars/OSEv3
---
# The regular user account you created on your server
ansible_ssh_user: nicolas
EOF
```

Run the OpenShift install:

```sh
ansible-playbook -i prod.hosts playbooks/preparation.yml
ansible-playbook -i prod.hosts openshift-ansible/playbooks/deploy_cluster.yml
ansible-playbook -i prod.hosts playbooks/post-install.yml
```

## Deploy the Software Factory

### Red Hat SSO

```sh
oc new-project sso --display-name="Single Sign-On"
for resource in sso73-image-stream.json \
  sso73-x509-https.json \
  sso73-x509-postgresql-persistent.json
do
  oc replace -n openshift --force -f \
  https://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/sso73-dev/templates/${resource}
done
oc -n openshift import-image redhat-sso73-openshift:1.0
oc policy add-role-to-user view system:serviceaccount:$(oc project -q):default

oc new-app --template=sso73-x509-postgresql-persistent --name=sso -p SSO_HOSTNAME=sso.app.itix.fr -p DB_USERNAME=sso -p SSO_ADMIN_USERNAME=admin -p DB_DATABASE=sso
oc delete route sso
oc create -f - <<EOF
  apiVersion: v1
  id: sso-https
  kind: Route
  metadata:
    annotations:
      description: Route for application's https service.
    labels:
      application: sso
    name: sso
  spec:
    host: sso.app.itix.fr
    tls:
      termination: reencrypt
    to:
      name: sso
EOF
```

### Jenkins

```sh
oc project factory --display-name="Software Factory"
oc new-app --template=jenkins-persistent --name=jenkins -p MEMORY_LIMIT=2Gi
oc set env dc/jenkins JENKINS_OPTS=--sessionTimeout=86400

oc delete route jenkins
oc create -f - <<EOF
  apiVersion: v1
  kind: Route
  metadata:
    annotations:
      haproxy.router.openshift.io/timeout: 4m
      template.openshift.io/expose-uri: http://{.spec.host}{.spec.path}
    name: jenkins
  spec:
    host: jenkins.app.itix.fr
    tls:
      insecureEdgeTerminationPolicy: Redirect
      termination: edge
    to:
      kind: Service
      name: jenkins
EOF

oc process -f https://raw.githubusercontent.com/microcks/microcks-jenkins-plugin/master/openshift-jenkins-master-bc.yml | oc create -f -
oc set triggers dc/jenkins --remove --from-image=openshift/jenkins:2
oc set triggers dc/jenkins --from-image=microcks-jenkins-master:latest -c jenkins
```

### Microcks

```sh
oc project factory
git clone https://github.com/microcks/microcks-ansible-operator.git
cd microcks-ansible-operator/
oc create -f deploy/crds/microcks_v1alpha1_microcksinstall_crd.yaml
oc create -f deploy/service_account.yaml
oc create -f deploy/role.yaml
oc create -f deploy/role_binding.yaml
oc create -f deploy/operator.yaml

oc replace -n factory -f - <<EOF
apiVersion: microcks.github.io/v1alpha1
kind: MicrocksInstall
metadata:
  name: microcks
spec:
  name: microcks
  version: "0.7.1"
  microcks:
    replicas: 1
    url: microcks.app.itix.fr
  postman:
    replicas: 1
  keycloak:
    install: false
    url: sso.app.itix.fr
    replicas: 1
  mongodb:
    install: true
    persistent: true
    volumeSize: 2Gi
    replicas: 1
EOF

oc create -f - <<EOF
kind: OAuthClient
apiVersion: v1
metadata:
  name: microcks
respondWithChallenges: false
secret: $(uuidgen)
redirectURIs:
- https://sso.app.itix.fr/auth/realms/microcks/broker/openshift-v3/endpoint
EOF
oc get oauthclient microcks -o yaml
```

### Nexus

```sh
oc project factory
oc create secret docker-registry partner-registry --docker-username=your.rhn.login --docker-password=your.rhn.password --docker-email=your.email@example.test --docker-server=registry.connect.redhat.com
oc secrets link default partner-registry --for=pull
oc import-image nexus-repository-manager:latest --confirm --scheduled --from=registry.connect.redhat.com/sonatype/nexus-repository-manager:latest

oc new-app nexus-repository-manager --name=nexus
oc patch dc/nexus -p '{"spec":{"strategy":{"type":"Recreate"}}}'
oc expose svc/nexus --hostname=nexus.app.itix.fr
oc patch route/nexus -p '{"spec":{"tls":{"insecureEdgeTerminationPolicy":"Redirect","termination":"edge"}}}'

oc set probe dc/nexus --liveness --failure-threshold 3 --initial-delay-seconds 30 --open-tcp=8081
oc set probe dc/nexus --readiness --failure-threshold 3 --initial-delay-seconds 30 --get-url=http://:8081/service/rest/repository/browse/maven-public/

oc set volumes dc/nexus --add --name 'nexus-volume-1' --type 'pvc' --mount-path '/nexus-data/' --claim-name 'nexus' --claim-size '1Gi' --overwrite

curl -o /tmp/nexus-functions -s https://raw.githubusercontent.com/OpenShiftDemos/nexus/master/scripts/nexus-functions
source /tmp/nexus-functions
add_nexus3_redhat_repos admin admin123 https://nexus.app.itix.fr
```