This repo contains a PoC of a tool to automatically entitle an OpenShift cluster. The entitlement manager runs in a pod and can be managed via a Kubernetes Custom Resource.
- create a dedicated project where the operator is executed
$ oc new-project ocp-entitlement-manager-operator
IMPORTANT: if you use a different project name you will need to edit the ClusterRoleBinding mainifest
- create the CRD
$ oc create -f https://github.com/pbertera/ocp-entitlement-manager/raw/master/operator/deploy/crds/entitlement-manager.bertera.it_entitlements_crd.yaml
- create the role and rolebindings (if you are using a custom namespace to deploy the operator please modify the namespace of the
ClusterRoleBindingServiceAccount
$ oc create -f https://github.com/pbertera/ocp-entitlement-manager/raw/master/operator/deploy/role.yaml
$ oc create -f https://github.com/pbertera/ocp-entitlement-manager/raw/master/operator/deploy/service_account.yaml
$ oc create -f https://github.com/pbertera/ocp-entitlement-manager/raw/master/operator/deploy/role_binding.yaml
- apply the
CustomResourcequota
$ oc create -f https://github.com/pbertera/ocp-entitlement-manager/raw/master/operator/deploy/quota.yaml
- deploy the operator
$ oc create -f https://github.com/pbertera/ocp-entitlement-manager/raw/master/operator/deploy/operator.yaml
Now the operator is installed, you can check the deployment and the controlled pods:
$ oc describe deployment ocp-entitlement-manager-operator
$ oc get pods # should return a pod with name entitlement-manager-xxxx
- create the secret: you have to get the token from https://cloud.redhat.com/openshift/token
$ oc create secret generic ocm-token --from-literal=ocm-token.json="eyJ...."
- create the
Entitlementcustom resource:
$ cat <<EOF | oc create -f -
apiVersion: "entitlement-manager.bertera.it/v1alpha1"
kind: "Entitlement"
metadata:
name: "cluster-entitlement"
spec:
ocmTokenSecret: "ocm-token"
loopHours: "1"
supportLevel: "Self-Support"
usage: "Production"
EOF
- check the entitlment
$ oc get entitlement
NAME SUPPORT USAGE
cluster-entitlement Self-Support Production
After creating the Entitlement a new deployment named entitlement-manager will be created. This deployment controls a pod running the manager.
In case there is a mismatch between the Entitlement and the entitlement assigned to the cluster the manager will try to apply the values of the Entitlement in case of a failure the controlled pod will exits.
Checking the pod logs should help troubleshooting the issue
apiVersion: "entitlement-manager.bertera.it/v1alpha1"
kind: "Entitlement"
metadata:
name: <name>
spec:
supportLevel: <support-level>
usage: <usage>
serviceLevel: <service-level>
systemUnits: <system-units>
ocmTokenSecret: <secret-mname>
loopHours: <loop-hours>
clusterUUID: <clusterUUID>
displayName: <display-name>
archived: <archived-flag>
maxReconcileExecutions: <max-reconcile>
debug: <debug-flag>
supportLevel: (string) valid values:Self-Support,Eval,Standard,Premium,None(default: 'Self-Support')usage: (string) valid values:Production,Development/Test,Disaster Recovery,Academic(default: 'Production')serviceLevel: (string) valid values:L1-L3,L3-only(default:L1-L3)systemUnits: (string) valid values:Cores/vCPU,Sockets(default:Cores/vCPU)ocmTokenSecret: mandatory (string) the name of the secret containing the cloud.redhat.com token, the key name must beocm-token.json(default: 'ocm-token')loopHours: (numeric string) interval in hours between entitlements check (default: '1'), minimum value: "1"clusterUUID: (string) the OpenShift cluster UUID (default: empty). If not defined the operator will gather the UUID from the API (here the reason for theClusterRole)displayName: (string) the cluster display name to show on https://cloud.redhat.com/openshift/ (default: empty)archived: (string) if the cluster is archived. Valid values:yes,nomaxReconcileExecutions(numeric string) maximum number of reconcile executions without a changing theEntitlementresource, when reached the pod will exit with an error.debug: (string) if value isyesdebug is activated on theentitlement-managerpod
TODO