Step 10 - The Example Application

OpenShift Supply Chain

- Thomas Jungbauer Thomas Jungbauer ( Lastmod: 2024-05-08 ) - 3 min read

If you read all articles up to here (congratulations) you know that we always update the README file of "The Application". But what is this application exactly and how can we update it like in a real-life example? The Globex UI application is built with Angular and was prepared for this journey. It is a quite complex application and requires Kafka to be installed as well. However, since I am not a developer and this tool was already available, I forked and re-used it. The original can be found at Globex UI

Goals

The goals of this step are:

  • Deploy AMQ Streams Operator

  • Deploy Globex DEV

  • Deploy Globex Prod

  • Verify Deployments

Introduction

The Globex UI, although quite complex, will provide a simple web interface. Since I do not have multiple clusters, I will use the Namespaces globex-dev and globex-prod to distinguish between the two environments. This means, our DEV environment will run inside globex-dev and PROD in globex-prod. Kafka related stuff will be deployed in the Namespace kafka.

Globex UI
Figure 1. Globex UI

The deployment will be done automatically by GitOps. As soon as our Pipeline will be executed and subsequently updates our image in the Kubernetes manifests (see step: Linting Kubernetes Manifests), a new version of Globex UI will be deployed. The production update will follow in later steps in the pipeline.

GitOps will monitor changes in our Kubernetes manifest repository. Here, we use Kustomize overlays to separate between DEV and PROD.

As a general recommendation: Do everything with GitOps. If it is not in Git, it does not exist.

Installation

To install all required components, we create several GitOps Applications.

Although we create these Argo CD Applications by hand, it is recommended to put these definitions into Git also.
Since this is just a demo, I am using the cluster instance of OpenShift GitOps. DO NOT deploy customer workload using the default instance, since it has privileged permissions on the cluster. Instead, create a second instance (or multiple) for the developers.

The following Applications will be created:

GitOps Applications
Figure 2. GitOps Applications

Install AMQ Streams Operator

As the very first step, we need to deploy the AMQ Streams Operator. Simply search for the operator in the Operator Hub and deploy it using the default values.

Also, this deployment could and should be done using Argo CD. For the sake of speed, I have done this manually here.
AMQ Streams Operator
Figure 3. AMQ Streams Operator

Install Kafka for Globex

Now we can deploy all Kafka-related stuff using GitOps. Let’s create the following Application object:

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: globex-kafka
  namespace: openshift-gitops
spec:
  destination:
    namespace: kafka (1)
    server: 'https://kubernetes.default.svc' (2)
  project: default
  source:
    path: application/kafka/overlays/dev (3)
    repoURL: 'https://github.com/tjungbauer/securing-software-supply-chain'
    targetRevision: HEAD
  syncPolicy:
    automated: (4)
      selfHeal: true
    syncOptions:
      - RespectIgnoreDifferences=true
      - CreateNamespace=true
1The deployment must be done in the Namespace kafka
2We install using the local GitOps server instance.
3Path/URL to the GitHub Kustomize repository.
4Auto-Update in case of changes are detected.

Install Globex DEV

The DEV installation will deploy the test version of our application into the Namespace globex-dev

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: globex-dev (1)
  namespace: openshift-gitops
spec:
  destination:
    namespace: globex-dev (2)
    server: 'https://kubernetes.default.svc' (3)
  ignoreDifferences:
    - group: '*'
      jqPathExpressions:
        - '.imagePullSecrets[] | select(.name|test(".-dockercfg-."))'
      kind: ServiceAccount
  project: default
  source:
    path: application/globex/overlays/dev (4)
    repoURL: 'https://github.com/tjungbauer/securing-software-supply-chain'
    targetRevision: HEAD
  syncPolicy:
    automated: (5)
      selfHeal: true
    syncOptions:
      - RespectIgnoreDifferences=true
      - CreateNamespace=true (6)
1Globex DEV instance
2Install into the Namespace globex-dev
3We install using the local GitOps server instance.
4Path/URL to the GitHub Kustomize repository.
5Auto-Update in case of changes are detected.
6Create the Namespace if it does not exist.

Install Globex PROD

And finally, the same for the PROD instance:

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: globex-prod (1)
  namespace: openshift-gitops
spec:
  destination:
    namespace: globex-prod (2)
    server: 'https://kubernetes.default.svc' (3)
  ignoreDifferences:
    - group: '*'
      jqPathExpressions:
        - '.imagePullSecrets[] | select(.name|test(".-dockercfg-."))'
      kind: ServiceAccount
  project: default
  source:
    path: application/globex/overlays/prod (4)
    repoURL: 'https://github.com/tjungbauer/securing-software-supply-chain'
    targetRevision: HEAD
  syncPolicy:
    automated: (5)
      selfHeal: true
    syncOptions:
      - RespectIgnoreDifferences=true
      - CreateNamespace=true (6)
1Globex DEV instance
2Install into the Namespace globex-prod
3We install using the local GitOps server instance.
4Path/URL to the GitHub Kustomize repository.
5Auto-Update in case of changes are detected.
6Create the Namespace if it does not exist.

Summary

During this step we have added nothing new to our pipeline, but deployed our example application Globex UI instead, including Kafka. The next steps will now do another verification against ACS and if the transparency logs are available, and then finally prepares everything for production deployment.

See Also:

  • Introducing AdminNetworkPolicies

    Classic Kubernetes/OpenShift offer a feature called NetworkPolicy that allows users to control the traffic to and from their assigned Namespace. NetworkPolicies are designed to give project owners or tenants the ability to protect their own namespace. Sometimes, however, I worked with customers where the cluster administrators or a dedicated (network) team need to enforce these policies. Since the NetworkPolicy API is namespace-scoped, it is not possible to enforce policies across namespaces. The only solution was to create custom (project) admin and edit roles, and remove the ability of creating, modifying or deleting NetworkPolicy objects. Technically, this is possible and easily done. But shifts the whole network security to cluster administrators. Luckily, this is where AdminNetworkPolicy (ANP) and BaselineAdminNetworkPolicy (BANP) comes into play.

  • Using Kustomize to post render a Helm Chart

    Lately I came across several issues where a given Helm Chart must be modified after it has been rendered by Argo CD. Argo CD does a helm template to render a Chart. Sometimes, especially when you work with Subcharts or when a specific setting is not yet supported by the Chart, you need to modify it later …​ you need to post-render the Chart. In this very short article, I would like to demonstrate this on a real-live example I had to do. I would like to inject annotations to a Route objects, so that the certificate can be injected. This is done by the cert-utils operator. For the post-rendering the Argo CD repo pod will be extended with a sidecar container, that is watching for the repos and patches them if required.

  • Managing Certificates using GitOps approach

    The article SSL Certificate Management for OpenShift on AWS explains how to use the Cert-Manager Operator to request and install a new SSL Certificate. This time, I would like to leverage the GitOps approach using the Helm Chart cert-manager I have prepared to deploy the Operator and order new Certificates. I will use an ACME Letsencrypt issuer with a DNS challenge. My domain is hosted at AWS Route 53. However, any other integration can be easily used.

  • Update Cluster Version using GitOps approach

    During a GitOps journey at one point, the question arises, how to update a cluster? Nowadays it is very easy to update a cluster using CLI or WebUI, so why bother with GitOps in that case? The reason is simple: Using GitOps you can be sure that all clusters are updated to the correct, required version and the version of each cluster is also managed in Git. All you need is the channel you want to use and the desired cluster version. Optionally, you can define the exact image SHA. This might be required when you are operating in a restricted environment.

  • Multiple Sources for Applications in Argo CD

    Argo CD or OpenShift GitOps uses Applications or ApplicationSets to define the relationship between a source (Git) and a cluster. Typically, this is a 1:1 link, which means one Application is using one source to compare the cluster status. This can be a limitation. For example, if you are working with Helm Charts and a Helm repository, you do not want to re-build (or re-release) the whole chart just because you made a small change in the values file that is packaged into the repository. You want to separate the configuration of the chart with the Helm package. The most common scenarios for multiple sources are (see: Argo CD documentation): Your organization wants to use an external/public Helm chart You want to override the Helm values with your own local values You don’t want to clone the Helm chart locally as well because that would lead to duplication and you would need to monitor it manually for upstream changes. This small article describes three different ways with a working example and tries to cover the advantages and disadvantages of each of them. They might be opinionated but some of them proved to be easier to use and manage.

Copyright © 2020 - 2024 Toni Schmidbauer & Thomas Jungbauer