Skip to content

Latest commit

 

History

History
126 lines (107 loc) · 4.18 KB

openshift-4.md

File metadata and controls

126 lines (107 loc) · 4.18 KB
Raw

Deploying OpenWhisk on OpenShift 4.6

Overview

The 4.6 version of OpenShift is based on Kubernetes 1.19.

We assume you have an operational cluster that meets the technical requirements and that you have sufficient privileges to perform the necessary oc adm operations detailed below.

Initial Setup

Create an openwhisk project (Kubernetes namespace) using the command

oc new-project openwhisk

Because OpenShift doesn’t allow pods to run with arbitrary UIDs by default, you will need to add adjust some policy options before deploying OpenWhisk. Execute the following commands:

oc adm policy add-scc-to-user anyuid -z default
oc adm policy add-scc-to-user privileged -z default
oc adm policy add-scc-to-user anyuid -z openwhisk-core
oc adm policy add-scc-to-user privileged -z openwhisk-core
oc adm policy add-scc-to-user anyuid -z owdev-init-sa
oc adm policy add-scc-to-user privileged -z owdev-init-sa

Configuring OpenWhisk

You must use the KubernetesContainerFactory on OpenShift.

Red Hat OpenShift on IBM Cloud

A Red Hat OpenShift on IBM Cloud cluster has full support for TLS including a wild-card certificate for subdomains and can be configured with additional annotations to fine tune ingress performance.

First, determine the values for and for your cluster by running the command:

ibmcloud cs cluster get -c <mycluster>

The CLI output will look something like

ibmcloud cs cluster get -c <mycluster>
Retrieving cluster <mycluster>...
OK
Name:    <mycluster>
...
Ingress Subdomain:  <domain>
Ingress Secret:     <ibmtlssecret>
...

The ingress secret is not automatically copied to new OpenShift projects. Before deploying OpenWhisk, you will need to copy the ingress secret ( from the openshift-ingress namespace to the openwhisk namespace.

As described in IBM's ingress documentation, to enable applications deployed in multiple namespaces to share the ingress resource, you should use a unique subdomain name for each namespace. We suggest a convention of using the namespace name as the subdomain name. So if you are deploying openwhisk into the openwhisk namespace, use openwhisk as your subdomain (as shown below in the example mycluster.yaml).

A template [mycluster.yaml](../deploy/ibm-public/mycluster-roks.yaml] for a standard deployment of OpenWhisk on ROKS would be:

whisk:
  ingress:
    # NOTE: Replace <domain> with your cluster's actual domain
    apiHostName: openwhisk.<domain>
    apiHostPort: 443
    apiHostProto: https
    type: Standard
    useInternally: true
    # NOTE: Replace <domain> with your cluster's actual domain
    domain: openwhisk.<domain>
    tls:
      enabled: true
      secretenabled: true
      createsecret: false
      # NOTE: Replace <ibmtlssecret> with your cluster's actual tlssecret
      secretname: <ibmtlssecret>
    annotations:
      kubernetes.io/ingress.class: public-iks-k8s-nginx
      nginx.ingress.kubernetes.io/use-regex: "true"
      nginx.ingress.kubernetes.io/configuration-snippet: |
         proxy_set_header X-Request-ID $request_id;
      nginx.ingress.kubernetes.io/proxy-body-size: 50m
      nginx.ingress.kubernetes.io/proxy-read-timeout: "75"

k8s:
  dns: dns-default.openshift-dns

invoker:
  containerFactory:
    impl: kubernetes

Limitations

No known limitations.