From 90b0ea3e89c4539d93e378e61f5129d2ea64d849 Mon Sep 17 00:00:00 2001 From: Shubhada Date: Fri, 12 Jul 2024 12:37:00 -0700 Subject: [PATCH] fix: Validate RP before cluster creation, add env variables for OCP pullspecs, and update instructions fix: Use RP_IMAGE_LOCAL for Linux compatibility in runlocal-rp target remove the changes veriable file modified move the set file to the hack directory and updated the doc move the set file to the hack directory and updated the doc Improve Podman Compatibility for Local RP with Secrets Handling Improve Podman compatibility by switching from 72626 to syntax for environment variables in Makefile env file updated Added logic to print the VNet/Subnets env file updated Update OpenShift version to 4.13.40 Update OpenShift version to 4.13.40 file added file added modified the makefile file has been added file has been added Makefile has been modifies Added the dynamic variable to fetch the default openshift version Update setup_resources.sh to dynamically fetch OpenShift version and pull specs from const.go --- Makefile | 92 +++++++++++-------- docs/deploy-development-rp.md | 83 +++++++++++++---- setup_resources.sh => hack/setup_resources.sh | 49 +++++++--- pkg/env/dev.go | 2 - 4 files changed, 156 insertions(+), 70 deletions(-) rename setup_resources.sh => hack/setup_resources.sh (70%) diff --git a/Makefile b/Makefile index 67d804d5c05..c64fe36c3c1 100644 --- a/Makefile +++ b/Makefile @@ -67,53 +67,71 @@ build-all: aro: check-release generate go build -ldflags "-X github.com/Azure/ARO-RP/pkg/util/version.GitCommit=$(VERSION)" ./cmd/aro +# Target to create docker secrets +.PHONY: docker-secrets +docker-secrets: aks.kubeconfig + docker secret rm --ignore aks.kubeconfig + docker secret create aks.kubeconfig ./aks.kubeconfig + + docker secret rm --ignore proxy-client.key + docker secret create proxy-client.key ./secrets/proxy-client.key + + docker secret rm --ignore proxy-client.crt + docker secret create proxy-client.crt ./secrets/proxy-client.crt + + docker secret rm --ignore proxy.crt + docker secret create proxy.crt ./secrets/proxy.crt + # Target to run the local RP .PHONY: runlocal-rp -runlocal-rp: ci-rp aks.kubeconfig - @set -a; source secrets/env; set +a; \ - podman run --rm -p 127.0.0.1:8443:8443 \ +runlocal-rp: ci-rp docker-secrets + docker run --rm -p 127.0.0.1:8443:8443 \ --name aro-rp \ -w /app \ + -e ARO_IMAGE \ -e RP_MODE="development" \ - -e PROXY_HOSTNAME="$${PROXY_HOSTNAME}" \ - -e DOMAIN_NAME="$${DOMAIN_NAME}" \ - -e AZURE_RP_CLIENT_ID="$${AZURE_RP_CLIENT_ID}" \ - -e AZURE_FP_CLIENT_ID="$${AZURE_FP_CLIENT_ID}" \ - -e AZURE_SUBSCRIPTION_ID="$${AZURE_SUBSCRIPTION_ID}" \ - -e AZURE_TENANT_ID="$${AZURE_TENANT_ID}" \ - -e AZURE_RP_CLIENT_SECRET="$${AZURE_RP_CLIENT_SECRET}" \ - -e LOCATION="$${LOCATION}" \ - -e RESOURCEGROUP="$${RESOURCEGROUP}" \ - -e AZURE_ARM_CLIENT_ID="$${AZURE_ARM_CLIENT_ID}" \ - -e AZURE_FP_SERVICE_PRINCIPAL_ID="$${AZURE_FP_SERVICE_PRINCIPAL_ID}" \ - -e AZURE_DBTOKEN_CLIENT_ID="$${AZURE_DBTOKEN_CLIENT_ID}" \ - -e AZURE_PORTAL_CLIENT_ID="$${AZURE_PORTAL_CLIENT_ID}" \ - -e AZURE_PORTAL_ACCESS_GROUP_IDS="$${AZURE_PORTAL_ACCESS_GROUP_IDS}" \ - -e AZURE_CLIENT_ID="$${AZURE_CLIENT_ID}" \ - -e AZURE_SERVICE_PRINCIPAL_ID="$${AZURE_SERVICE_PRINCIPAL_ID}" \ - -e AZURE_CLIENT_SECRET="$${AZURE_CLIENT_SECRET}" \ - -e AZURE_GATEWAY_CLIENT_ID="$${AZURE_GATEWAY_CLIENT_ID}" \ - -e AZURE_GATEWAY_SERVICE_PRINCIPAL_ID="$${AZURE_GATEWAY_SERVICE_PRINCIPAL_ID}" \ - -e AZURE_GATEWAY_CLIENT_SECRET="$${AZURE_GATEWAY_CLIENT_SECRET}" \ - -e DATABASE_NAME="$${DATABASE_NAME}" \ - -e PULL_SECRET="$${PULL_SECRET}" \ - -e SECRET_SA_ACCOUNT_NAME="$${SECRET_SA_ACCOUNT_NAME}" \ - -e DATABASE_ACCOUNT_NAME="$${DATABASE_ACCOUNT_NAME}" \ - -e KEYVAULT_PREFIX="$${KEYVAULT_PREFIX}" \ - -e ADMIN_OBJECT_ID="$${ADMIN_OBJECT_ID}" \ - -e PARENT_DOMAIN_NAME="$${PARENT_DOMAIN_NAME}" \ - -e PARENT_DOMAIN_RESOURCEGROUP="$${PARENT_DOMAIN_RESOURCEGROUP}" \ - -e AZURE_ENVIRONMENT="$${AZURE_ENVIRONMENT}" \ - -e STORAGE_ACCOUNT_DOMAIN="$${STORAGE_ACCOUNT_DOMAIN}" \ - -e OIDC_STORAGE_ACCOUNT_NAME="$${OIDC_STORAGE_ACCOUNT_NAME}" \ + -e PROXY_HOSTNAME \ + -e DOMAIN_NAME \ + -e AZURE_RP_CLIENT_ID \ + -e AZURE_FP_CLIENT_ID \ + -e AZURE_SUBSCRIPTION_ID \ + -e AZURE_TENANT_ID \ + -e AZURE_RP_CLIENT_SECRET \ + -e LOCATION \ + -e RESOURCEGROUP \ + -e AZURE_ARM_CLIENT_ID \ + -e AZURE_FP_SERVICE_PRINCIPAL_ID \ + -e AZURE_DBTOKEN_CLIENT_ID \ + -e AZURE_PORTAL_CLIENT_ID \ + -e AZURE_PORTAL_ACCESS_GROUP_IDS \ + -e AZURE_CLIENT_ID \ + -e AZURE_SERVICE_PRINCIPAL_ID \ + -e AZURE_CLIENT_SECRET \ + -e AZURE_GATEWAY_CLIENT_ID \ + -e AZURE_GATEWAY_SERVICE_PRINCIPAL_ID \ + -e AZURE_GATEWAY_CLIENT_SECRET \ + -e DATABASE_NAME \ + -e PULL_SECRET \ + -e SECRET_SA_ACCOUNT_NAME \ + -e DATABASE_ACCOUNT_NAME \ + -e KEYVAULT_PREFIX \ + -e ADMIN_OBJECT_ID \ + -e PARENT_DOMAIN_NAME \ + -e PARENT_DOMAIN_RESOURCEGROUP \ + -e AZURE_ENVIRONMENT \ + -e STORAGE_ACCOUNT_DOMAIN \ + -e OIDC_STORAGE_ACCOUNT_NAME \ -e KUBECONFIG="/app/secrets/aks.kubeconfig" \ -e HIVE_KUBE_CONFIG_PATH="/app/secrets/aks.kubeconfig" \ -e ARO_CHECKOUT_PATH="/app" \ -e ARO_INSTALL_VIA_HIVE="true" \ -e ARO_ADOPT_BY_HIVE="true" \ - -v $(PWD)/aks.kubeconfig:/app/secrets/aks.kubeconfig:z \ - -v $(PWD)/secrets:/app/secrets:z \ - $$ARO_IMAGE rp + --secret aks.kubeconfig,target=/app/secrets/aks.kubeconfig \ + --secret proxy-client.key,target=/app/secrets/proxy-client.key \ + --secret proxy-client.crt,target=/app/secrets/proxy-client.crt \ + --secret proxy.crt,target=/app/secrets/proxy.crt \ + $(RP_IMAGE_LOCAL) rp + .PHONY: az az: pyenv diff --git a/docs/deploy-development-rp.md b/docs/deploy-development-rp.md index 01a0596de16..60b43486696 100644 --- a/docs/deploy-development-rp.md +++ b/docs/deploy-development-rp.md @@ -1,31 +1,19 @@ # Deploy development RP -## Why to use it? -This is the **preferred** and fast way to have your own local development RP setup, while also having a functional cluster. -It uses hacks scripts around a lot of the setup to make things easier to bootstrap and be more sensible for running off of your local laptop. - -- Check the specific use-case examples where [deploying full RP service](https://github.com/Azure/ARO-RP/blob/master/docs/deploy-full-rp-service-in-dev.md) can be a better match. - ## Prerequisites 1. Your development environment is prepared according to the steps outlined in [Prepare Your Dev Environment](./prepare-your-dev-environment.md) ## Installing the extension -1. Check the `env.example` file and copy it by creating your own: - - ```bash - cp env.example env - ``` - -2. Build the development `az aro` extension: +1. Build the development `az aro` extension: ```bash . ./env make az ``` -3. Verify the ARO extension is registered: +1. Verify the ARO extension is registered: ```bash az -v @@ -481,12 +469,69 @@ To run fake metrics socket: ```bash go run ./hack/monitor ``` +## Run the RP and create a Hive cluster -## Troubleshooting +**Steps to perform on Mac** -1. Trying to use `az aro` CLI in Production, fails with: +1. Mount your local MacOS filesystem into the podman machine: +```bash +podman machine init --now --cpus=4 --memory=4096 -v $HOME:$HOME ``` -(NoRegisteredProviderFound) No registered resource provider found for location '$LOCATION' and API version '2024-08-12-preview' + +2. Use the openvpn config file (which is now mounted inside the podman machine) to start the VPN connection: + +```bash +podman machine ssh + +sudo rpm-ostree install openvpn + +sudo systemctl reboot + +podman machine ssh + +sudo openvpn --config /Users//go/src/github.com/Azure/ARO-RP/secrets/vpn-aks-westeurope.ovpn --daemon --writepid vpnpid + +ps aux | grep openvpn ``` -- Check if`~/.azure/config` there is a block `extensions.dev_sources`. If yes, comment it. -- Check if env var `AZURE_EXTENSION_DEV_SOURCES` is set. If yes, unset it. \ No newline at end of file + +### Instructions for Modifying Environment File + +**Update the env File** + +- Open the `env` file. +- Update env file instructions: set `OPENSHIFT_VERSION`, update `INSTALLER_PULLSPEC` and `OCP_PULLSPEC`, mention quay.io for SHA256 hash. +- Update INSTALLER_PULLSPEC with the appropriate name and tag, typically matching the OpenShift version, e.g., `release-4.13.`(for more detail see the `env.example`) + +* Source the environment file before creating the cluster using the `setup_resources.sh` script(Added the updated env in the PR) +```bash +cd /hack + +./setup_resources.sh +``` + +* Once the cluster create verify connectivity with the ARO cluster: +- Download the admin kubeconfig file +```bash +az aro get-admin-kubeconfig --name --resource-group v4-westeurope --file ~/.kube/aro-admin-kubeconfig +``` +- Set the KUBECONFIG environment variable +```bash +export KUBECONFIG=~/.kube/aro-admin-kubeconfig +``` +- Verify connectivity with the ARO cluster +```bash +kubectl get nodes +``` + +```bash +kubectl get nodes +NAME STATUS ROLES AGE VERSION +shpaitha-aro-cluster-4sp5c-master-0 Ready control-plane,master 39m v1.25.11+1485cc9 +shpaitha-aro-cluster-4sp5c-master-1 Ready control-plane,master 39m v1.25.11+1485cc9 +shpaitha-aro-cluster-4sp5c-master-2 Ready control-plane,master 39m v1.25.11+1485cc9 +shpaitha-aro-cluster-4sp5c-worker-westeurope1-j9c76 Ready worker 29m v1.25.11+1485cc9 +shpaitha-aro-cluster-4sp5c-worker-westeurope2-j9zrs Ready worker 27m v1.25.11+1485cc9 +shpaitha-aro-cluster-4sp5c-worker-westeurope3-56tk7 Ready worker 28m v1.25.11+1485cc9 +``` + + diff --git a/setup_resources.sh b/hack/setup_resources.sh similarity index 70% rename from setup_resources.sh rename to hack/setup_resources.sh index 8d37b3d209e..29b6e4af0c6 100755 --- a/setup_resources.sh +++ b/hack/setup_resources.sh @@ -2,6 +2,32 @@ set -e +# Determine the base directory of the script +BASE_DIR=$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd) + +# Construct the path to const.go using the base directory +CONST_GO_PATH="$BASE_DIR/pkg/util/version/const.go" + +# Debugging: Print paths for verification +echo "Base directory: $BASE_DIR" +echo "Path to const.go: $CONST_GO_PATH" + +# Check if const.go exists +if [ ! -f "$CONST_GO_PATH" ]; then + echo "Error: File $CONST_GO_PATH not found." + exit 1 +fi + +# Extract version and pullspec from const.go +OPENSHIFT_VERSION=$(awk -F'[(,)]' '/NewVersion/ {gsub(/ /, ""); print $2"."$3"."$4; exit}' "$CONST_GO_PATH") +OCP_PULLSPEC=$(awk -F'"' '/PullSpec:/ {print $2; exit}' "$CONST_GO_PATH") +INSTALLER_PULLSPEC="arointsvc.azurecr.io/aro-installer:release-$OPENSHIFT_VERSION" + +# Print the fetched values for verification +echo "Using OpenShift version: $OPENSHIFT_VERSION" +echo "Using OCP_PULLSPEC: $OCP_PULLSPEC" +echo "Using INSTALLER_PULLSPEC: $INSTALLER_PULLSPEC" + # Function to validate RP running validate_rp_running() { echo "########## Checking ARO RP Status ##########" @@ -27,18 +53,15 @@ validate_rp_running() { done } -# Ensure all env vars are set (CLUSTER_LOCATION, CLUSTER_RESOURCEGROUP, CLUSTER_NAME) +# Ensure all env vars are set (LOCATION, CLUSTER_RESOURCEGROUP, CLUSTER_NAME) ALL_SET="true" -if [ -z ${AZURE_SUBSCRIPTION_ID} ]; then ALL_SET="false" && echo "AZURE_SUBSCRIPTION_ID is unset"; else echo "AZURE_SUBSCRIPTION_ID is set to '$AZURE_SUBSCRIPTION_ID'"; fi -if [ -z ${LOCATION} ]; then ALL_SET="false" && echo "LOCATION is unset"; else echo "LOCATION is set to '$LOCATION'"; fi -if [ -z ${CLUSTER_RESOURCEGROUP} ]; then ALL_SET="false" && echo "CLUSTER_RESOURCEGROUP is unset"; else echo "CLUSTER_RESOURCEGROUP is set to '$CLUSTER_RESOURCEGROUP'"; fi -if [ -z ${CLUSTER_NAME} ]; then ALL_SET="false" && echo "CLUSTER_NAME is unset"; else echo "CLUSTER_NAME is set to '$CLUSTER_NAME'"; fi -if [ -z ${CLUSTER_VNET} ]; then CLUSTER_VNET="aro-vnet2"; echo "CLUSTER_VNET is ${CLUSTER_VNET}"; fi -if [ -z ${CLUSTER_MASTER_SUBNET} ]; then CLUSTER_MASTER_SUBNET="master-subnet"; echo "CLUSTER_MASTER_SUBNET is ${CLUSTER_MASTER_SUBNET}"; fi -if [ -z ${CLUSTER_WORKER_SUBNET} ]; then CLUSTER_WORKER_SUBNET="worker-subnet"; echo "CLUSTER_WORKER_SUBNET is ${CLUSTER_WORKER_SUBNET}"; fi -if [ -z ${OPENSHIFT_VERSION} ]; then ALL_SET="false" && echo "OPENSHIFT_VERSION is unset"; else echo "OPENSHIFT_VERSION is set to '$OPENSHIFT_VERSION'"; fi -if [ -z ${OCP_PULLSPEC} ]; then ALL_SET="false" && echo "OCP_PULLSPEC is unset"; else echo "OCP_PULLSPEC is set to '$OCP_PULLSPEC'"; fi -if [ -z ${INSTALLER_PULLSPEC} ]; then ALL_SET="false" && echo "INSTALLER_PULLSPEC is unset"; else echo "INSTALLER_PULLSPEC is set to '$INSTALLER_PULLSPEC'"; fi +if [ -z "${AZURE_SUBSCRIPTION_ID}" ]; then ALL_SET="false" && echo "AZURE_SUBSCRIPTION_ID is unset"; else echo "AZURE_SUBSCRIPTION_ID is set to '$AZURE_SUBSCRIPTION_ID'"; fi +if [ -z "${LOCATION}" ]; then ALL_SET="false" && echo "LOCATION is unset"; else echo "LOCATION is set to '$LOCATION'"; fi +if [ -z "${CLUSTER_RESOURCEGROUP}" ]; then ALL_SET="false" && echo "CLUSTER_RESOURCEGROUP is unset"; else echo "CLUSTER_RESOURCEGROUP is set to '$CLUSTER_RESOURCEGROUP'"; fi +if [ -z "${CLUSTER_NAME}" ]; then ALL_SET="false" && echo "CLUSTER_NAME is unset"; else echo "CLUSTER_NAME is set to '$CLUSTER_NAME'"; fi +if [ -z "${CLUSTER_VNET}" ]; then CLUSTER_VNET="aro-vnet2"; fi; echo "CLUSTER_VNET is ${CLUSTER_VNET}" +if [ -z "${CLUSTER_MASTER_SUBNET}" ]; then CLUSTER_MASTER_SUBNET="master-subnet"; fi; echo "CLUSTER_MASTER_SUBNET is ${CLUSTER_MASTER_SUBNET}" +if [ -z "${CLUSTER_WORKER_SUBNET}" ]; then CLUSTER_WORKER_SUBNET="worker-subnet"; fi; echo "CLUSTER_WORKER_SUBNET is ${CLUSTER_WORKER_SUBNET}" if [[ "${ALL_SET}" != "true" ]]; then exit 1; fi @@ -46,7 +69,7 @@ if [[ "${ALL_SET}" != "true" ]]; then exit 1; fi echo "Checking Azure CLI version..." az_version=$(az --version | grep 'azure-cli' | awk '{print $2}') required_version="2.30.0" -if [ "$(printf '%s\n' "$required_version" "$az_version" | sort -V | head -n1)" = "$required_version" ]; then +if [ "$(printf '%s\n' "$required_version" "$az_version" | sort -V | head -n1)" = "$required_version" ]; then echo "Azure CLI version is compatible" else echo "Azure CLI version must be $required_version or later. Please upgrade." @@ -157,3 +180,5 @@ fi echo "To list cluster credentials, run:" echo " az aro list-credentials --name $CLUSTER_NAME --resource-group $CLUSTER_RESOURCEGROUP" + +echo "Note: Do not manually delete any resources. Let the script handle the deletions to avoid issues." diff --git a/pkg/env/dev.go b/pkg/env/dev.go index a5f8e20cb8b..bb900cd2760 100644 --- a/pkg/env/dev.go +++ b/pkg/env/dev.go @@ -72,8 +72,6 @@ func (d *dev) AROOperatorImage() string { } func (d *dev) Listen() (net.Listener, error) { - // in dev mode there is no authentication, so for safety we only listen on - // localhost return net.Listen("tcp", ":8443") }