Execution of Submariner deployment and testing, requires a few conditions to met.
- ACM Hub cluster
- At least two active managed clusters
- The clusters could be deployed by the ACM hub via hive
- The clusters could be deployed separately and imported into the hub
Note - In that case, cluster kubeconfig and cloud creds (when required) should exists within the hub. (See section below).
As part of the automation flow, kubeconfig fetched in order to perform number of configuration steps on the managed clsuters.
When we are deploying a managed cluster from the hub, the kubeconfig of the cluster and cloud credentials of the cluster platform stored on the hub under the cluster namespace.
As a result, the kubeconfig file easily fetched and used.
But when we are deploying a cluster separately and them importing it into the hub, the kubeconfig and cloud credentials are not stored on the hub.
In order to allow automation flow deploy and test on the imported clusters, we should create secrets with the following content:
- A secret with kubeconfig content of the imported cluster
- A secret with cloud credentials of the platform where cluster deployed.
Note - A secret with cloud credentials required only when there is a need to create a separate instance to serve as submariner gateway. It's not the case for all the platforms.
Follow next steps to create kubeconfig secret on the Hub:
- Encode the kubeconfig file of the cluster
base64 -w0 /path/to/kubeconfig/file
- Create a secret file and fill up with the relevant content
apiVersion: v1
kind: Secret
metadata:
name: <cluster-name>-0-admin-kubeconfig
namespace: <cluster-name>
type: Opaque
data:
kubeconfig: <encoded_kubeconfig_file>
- Apply the created secret file on the Hub cluster
oc apply -f secret.yaml
Follow next steps to create cloud credentials secret:
Note 1 - The cloud credentials secret required when an instance of submariner gateway should be created.
Note 2 - The cloud credentials doesn't need to be created for platforms such: ROSA, ARO, IBMPower.
Note 3 - Cloud credentials secret values may differ according to the cloud provider.
- Encode the username/password values
base64 <credentials_values>
- Create a secret file and fill up with the relevant content
Example of AWS cloud credentials
apiVersion: v1
kind: Secret
metadata:
name: <cluster-name>-<credentials-name>
namespace: <cluster-name>
type: Opaque
data:
aws_access_key_id: <encoded value>
aws_secret_access_key: <encoded value>
- Apply the created secret file on the Hub cluster
oc apply -f secret.yaml
Note - For downstream deployment/testing only.
In order to perform downstream testing (made by QE), we need an access to internal registry - Brew.
Follow next steps to create internal registry secret.
- Reach ou to Submariner QE to get the guide for Brew credentials creation
- Login to the ACM Hub cluster
- Fetch exiting
pull-secretsecret and write it to apull_secret.yamlfile
oc -n openshift-config get secret/pull-secret --template='{{index .data ".dockerconfigjson" | base64decode}}' > pull_secret.yaml
- Update the
pull_secret.yamlfile with the brew registry credentials from the first step
oc registry login --registry="brew.registry.redhat.io" --auth-basic="<username>:<password>" --to=pull_secret.yaml
- Update the Hub cluster
pull-secretwith the updated values
oc -n openshift-config set data secret/pull-secret --from-file=.dockerconfigjson=pull_secret.yaml
- Delete the
pull_secret.yamlfile
rm pull_secret.yaml