- Having a production cluster join the hub
- Allow ACM to deploy the production application to a subset of secured clusters
- Deploy a production cluster
- Production cluster setup using the ACM UI
- Production setup using
- Production setup using
- Production is joined
- Next up
Production clusters need to be secured and so one part of the deployment is Advanced Cluster Security with a secured configuration. This allows ACS to monitor and report on security issues on the cluster. ACS secured sites report to an ACS Central application that is deployed on the hub.
By default the production applications are deployed on all
secured clusters that ACM knows about.
- name: secured helmOverrides: - name: clusterGroup.isHubCluster value: "false" clusterSelector: matchLabels: clustergroup: secured matchExpressions: - key: vendor operator: In values: - OpenShift
Remember to commit the changes and push to GitHub so that GitOps can see your changes and apply them.
Rather than provide instructions on creating a production cluster it is assumed
that an OpenShift cluster has already been created. Use the
openshift-install program provided at cloud.redhat.com
There are a three ways to join the production to the datacenter.
- Using the ACM user interface
- Using the
- Using the
After ACM is installed a message regarding a “Web console update is available” may be displayed. Click on the “Refresh web console” link.
On the upper-left side you’ll see a pull down labeled “local-cluster”. Select “All Clusters” from this pull down. This will navigate to the ACM console and to its “Clusters” section
Select the “Import cluster” option beside the highlighted Create Cluster button.
On the “Import an existing cluster” page, enter the cluster name and choose Kubeconfig as the “import mode”. Add the tag
clustergroup=secured Press import. Done.
Using this method, you are done. Skip to the section Production is joined but ignore the part about adding the site tag.
cm(cluster management) command-line tool. See details here
Obtain the KUBECONFIG file from the managed secured cluster.
On the command-line login into the hub/datacenter cluster (use
oc loginor export the KUBECONFIG).
Run the following command:
cm attach cluster --cluster <cluster-name> --cluster-kubeconfig <path-to-KUBECONFIG>
Skip to the section Production is joined
You can also use
clusteradm to join a cluster. The following instructions explain what needs to be done.
clusteradm is still in testing.
To deploy a edge cluster you will need to get the datacenter (or hub) cluster’s token. You will need to install
clusteradm. On the existing datacenter cluster:
clusteradm get token
When you run the
clusteradmcommand above it replies with the token and also shows you the command to use in production. So first you must login to the production cluster
Then request to that the production join the datacenter hub
clusteradm join --hub-token <token from clusteradm get token command > <production cluster name>
Back on the hub cluster accept the join request
clusteradm accept --clusters <production-cluster-name>
Skip to the next section, Production is joined
Now that ACM is no longer deploying the production applications everywhere, we need
to explicitly indicate that the new cluster has the production role. If you haven’t tagged the cluster as
clustergroup=secured then we can that here.
We do this by adding the label referenced in the managedSite’s
Find the new cluster
oc get managedclusters.cluster.open-cluster-management.io
Apply the label
oc label managedclusters.cluster.open-cluster-management.io/YOURCLUSTER clustergroup=secured
That’s it! Go to your production OpenShift console and check for the open-cluster-management-agent pod being launched. Be patient, it will take a while for the ACM agent and agent-addons to launch. After that, the operator OpenShift GitOps will run. When it’s finished coming up launch the OpenShift GitOps (ArgoCD) console from the top right of the OpenShift console.
Work your way through the Multicluster DevSecOps GitOps/DevOps demos (TBD)