-
Install Go 1.13 or later, if you haven't already.
-
Install a supported version of Python, if you don't have one installed already. The
azclient supports Python 2.7 and Python 3.5+. A recent Python 3.x version is recommended. -
Install the
azclient, if you haven't already. -
Log in to Azure:
az login -
Git clone this repository to your local machine:
go get github.com/jim-minter/rp/... -
You will need the
ContributorandUser Access Administratorroles on your subscription.
-
Fetch the development environment secrets:
make secrets -
Edit and source your environment file. The required environment variable configuration is documented immediately below:
cp env.example env vi env . ./env-
LOCATION: Location of the resource group where the development RP will run (default:
eastus). -
RESOURCEGROUP: Name of the new resource group into which you will deploy your RP assets.
-
RP_MODE: Set to
developmentto enable the RP to read its development configuration, and theaz aroclient to connect to the development RP.
-
-
Edit and source your environment file. The required environment variable configuration is documented immediately below:
cp env.example env vi env . ./env-
LOCATION: Location of the resource group where the development RP will run (default:
eastus). -
RESOURCEGROUP: Name of the new resource group into which you will deploy your RP assets.
-
RP_MODE: Set to
developmentto enable the RP to read its development configuration, and theaz aroclient to connect to the development RP. -
AZURE_TENANT_ID: Azure tenant UUID.
-
AZURE_SUBSCRIPTION_ID: Azure subscription UUID.
-
AZURE_ARM_CLIENT_{ID,SECRET}: Credentials of an AAD application which fakes up the ARM layer.
Later it will be granted:
User Access Administratoron your subscription.
-
AZURE_FP_CLIENT_ID: Client ID of an AAD application which fakes up the first party application.
Later it will be granted:
ARO v4 FP Subscriptionon your subscription.
This application requires client certificate authentication to be enabled. A suitable key/certificate file can be generated using the following helper utility; then configure it in AAD.
go run ./hack/genkey -extKeyUsage client firstparty-development -
AZURE_CLIENT_{ID,SECRET}: Credentials of an AAD application which fakes up the RP identity.
Later it will be granted:
Readeron RESOURCEGROUP.Secrets / Geton the key vault in RESOURCEGROUP.DocumentDB Account Contributoron the CosmosDB resource in RESOURCEGROUP.DNS Zone Contributoron the DNS zone in RESOURCEGROUP.
-
PULL_SECRET: A cluster pull secret retrieved from Red Hat OpenShift Cluster Manager
-
ADMIN_OBJECT_ID: AAD object ID (e.g. an AAD group, or your AAD user) for key vault admin(s)
-
DOMAIN_RESOURCEGROUP, DOMAIN_NAME: Resource group and name of a publicly resolvable parent DNS zone resource in your Azure subscription.
-
-
Set up the RP role definitions and assignments in your Azure subscription. This mimics the RBAC that ARM sets up. With at least
User Access Administratorpermissions on your subscription, do:az deployment create \ -l $LOCATION \ --template-file deploy/rbac-development.json \ --parameters \ "armServicePrincipalId=$ARM_SERVICEPRINCIPAL_ID" \ "fpServicePrincipalId=$FP_SERVICEPRINCIPAL_ID" -
Create an RP serving key/certificate. A suitable key/certificate file can be generated using the following helper utility:
go run ./hack/genkey localhost
-
Create the resource group and deploy the RP resources:
az group create -g "$RESOURCEGROUP" -l "$LOCATION" az group deployment create \ -g "$RESOURCEGROUP" \ --template-file deploy/rp-development.json \ --parameters \ "adminObjectId=$ADMIN_OBJECT_ID" \ "databaseAccountName=$COSMOSDB_ACCOUNT" \ "domainName=$DOMAIN" \ "keyvaultName=$KEYVAULT_NAME" \ "rpServicePrincipalId=$SERVICEPRINCIPAL_ID" \ -
Load the keys/certificates into the key vault:
az keyvault certificate import \ --vault-name "$KEYVAULT_NAME" \ --name rp-firstparty \ --file "$FP_KEYFILE" az keyvault certificate import \ --vault-name "$KEYVAULT_NAME" \ --name rp-server \ --file "$KEYFILE" -
Create nameserver records in the parent DNS zone:
az network dns record-set ns create --resource-group "$DOMAIN_RESOURCEGROUP" --zone "$(cut -d. -f2- <<<"$DOMAIN")" --name "$(cut -d. -f1 <<<"$DOMAIN")" for ns in "$(az network dns zone show --resource-group "$RESOURCEGROUP" --name "$DOMAIN" --query nameServers -o tsv)"; do az network dns record-set ns add-record \ --resource-group "$DOMAIN_RESOURCEGROUP" \ --zone "$(cut -d. -f2- <<<"$DOMAIN")" \ --record-set-name "$(cut -d. -f1 <<<"$DOMAIN")" \ --nsdname "$ns" done
-
Run the RP
go run ./cmd/rp -
Before creating a cluster, it is necessary to fake up the step of registering the development resource provider to the subscription:
curl -k -X PUT \ -H 'Content-Type: application/json' -d '{"state": "Registered", "properties": {"tenantId": "'"$AZURE_TENANT_ID"'"}}' \ "https://localhost:8443/subscriptions/$AZURE_SUBSCRIPTION_ID?api-version=2.0" -
To create a cluster, follow the instructions in using
az aro. Note that as long as the RP_MODE environment variable is set to development, theaz aroclient will connect to your local RP. -
The following additional RP endpoints are available but not exposed via
az aro:-
Delete a subscription, cascading deletion to all its clusters:
curl -k -X PUT \ -H 'Content-Type: application/json' \ -d '{"state": "Deleted", "properties": {"tenantId": "'"$AZURE_TENANT_ID"'"}}' \ "https://localhost:8443/subscriptions/$AZURE_SUBSCRIPTION_ID?api-version=2.0" -
List operations:
curl -k \ "https://localhost:8443/providers/Microsoft.RedHatOpenShift/operations?api-version=2019-12-31-preview"
-
-
Get an admin kubeconfig:
hack/get-admin-kubeconfig.sh "/subscriptions/$AZURE_SUBSCRIPTION_ID/resourceGroups/$RESOURCEGROUP/providers/Microsoft.RedHatOpenShift/openShiftClusters/$CLUSTER" export KUBECONFIG=admin.kubeconfig oc version -
SSH to the bootstrap node:
hack/ssh-bootstrap.sh "/subscriptions/$AZURE_SUBSCRIPTION_ID/resourceGroups/$RESOURCEGROUP/providers/Microsoft.RedHatOpenShift/openShiftClusters/$CLUSTER"