IBM Cloud Docs
Setting up trusted profiles for the OpenShift Data Foundation add-on

Setting up trusted profiles for the OpenShift Data Foundation add-on

Virtual Private Cloud Classic clusters

You can use trusted profiles to limit the access that running pods in your cluster have to other resources in your account or cluster. For more information about trusted profiles, see Creating trusted profiles.

Enabling the OpenShift Data Foundation add-on

  1. Log in to your account. If applicable, target the appropriate resource group. Set the context for your cluster.

  2. Enable the add-on in your cluster. Review the Parameter Reference.

    Example command:

    ibmcloud oc cluster addon enable openshift-data-foundation -c <cluster-name> --version 4.X.X
    
  3. Verify that the add-on state is normal and the status is ready.

    ibmcloud oc cluster addon ls --cluster CLUSTER-ID
    
  4. Verify that the metrics agent pod is deployed and the status is Running.

    kubectl get pods -n kube-system | grep ibm-storage-metrics-agent
    

    Example output:

    ibm-storage-metrics-agent-644cd95b5b-rh2gd        2/2     Running   0          7h42m
    

Setting up trusted profiles

  1. Follow the steps to create a trusted profile. In the Conditions for the profile, be sure to specify the following access.

    • Allow access when Namespace equals kube-system
    • Satellite Service Roles - Satellite Link Administrator, Reader
    • Kubernetes Service Roles - Manager, Editor
    • Billing Service Roles - Reader, Operator
  2. After you create your trusted profile, copy the ID from the Trusted profiles page in the console.

  3. Decide if you want to use the Profile ID or an API key in the Kubernetes secret that the add-on uses. You can create the secret by using the ID or API key for the trusted profile. Save the following text and enter your credentials. You can follow the steps to create the secret manually or you can use the shell script to automatically create the secret in your cluster.

    Example credentials with pod identity:

    IBMCLOUD_AUTHTYPE=pod-identity
    IBMCLOUD_PROFILEID=<TRUSTED-PROFILE-ID>
    

    Example credentials with an API key.

    IBMCLOUD_AUTHTYPE=iam
    IBMCLOUD_APIKEY=<API-KEY>
    
  4. Encode the credentials to base64.

    echo -n "IBMCLOUD_AUTHTYPE=<IAM-OR-POD-IDENTITY>
    IBMCLOUD_APIKEY=<API-KEY>" | base64
    
  5. Create a secret in your cluster that contains the credentials for the trusted profile. Save the following YAML to a file called ibm-cloud-credentials.yaml. In the ibm-credentials.env: field, enter the base64 encoded API key or the ID of trusted profile.

    apiVersion: v1
    data:
      ibm-credentials.env: # Trusted profile ID
    kind: Secret
    metadata:
      name: ibm-cloud-credentials
      namespace: kube-system
    type: Opaque
    
  6. Log in to your account. If applicable, target the appropriate resource group. Set the context for your cluster.

  7. Create the secret in your cluster.

    kubectl apply -f ibm-cloud-credentials.yaml
    
  8. Restart the agent pods.

    kubectl delete pod <ibm-storage-metrics-agent> -n kube-system>
    

Automatically creating a secret by using a Shell script

  1. Follow the steps to create a trusted profile. In the Conditions for the profile, be sure to specify the following access.

    • Allow access when Namespace equals kube-system
    • Satellite Service Roles - Satellite Link Administrator, Reader
    • Kubernetes Service Roles - Manager, Editor
    • Billing Service Roles - Reader, Operator
  2. Save the following script to a file called generate-secret.sh.

    IBMCLOUD_AUTHTYPE= 
    SECRET= 
    
    
    error() { 
        if [[ $? != 0 ]]; then 
            echo "$1"; exit 1 
        fi 
    } 
    
    #validate_arguments validates the arguments provided to the script 
    validate_arguments() { 
        if [[ "$#" -eq 1 ]]; then 
        if [[ "$1" == "-h" ]] || [[ "$1" == "--help" ]]; then 
            usage; exit 1 
        fi 
        fi 
    
            #number of arguments provided to the script must be 2 
        if [[ "$#" -ne 2 ]]; then 
            echo "Invalid number of arguments provided" 
            usage; exit 1 
        fi 
    
        #1st argument must be 'iam' or 'pod-identity' 
        if [[ "$1" != "iam" ]] && [[ "$1" != "pod-identity" ]]; then 
            echo "Provide a valid auth-type" 
            usage; exit 1 
        fi 
    
        IBMCLOUD_AUTHTYPE=$1 
        SECRET=$2 
    } 
    
    #usage - prints the usage for execution of script 
    usage() { 
        echo "USAGE: 
        bash generate-secret.sh <auth-type> <apikey/profile-id> 
        auth-type: auth-type should be either iam or pod-identity. Provide iam to use api 
    key, pod-identity to use trusted profile" 
    } 
    
    #main 
    main() { 
    
        validate_arguments "$@" 
    
        auth_type="IBMCLOUD_AUTHTYPE=$IBMCLOUD_AUTHTYPE" 
    
        secret= 
    
        if [[ "$IBMCLOUD_AUTHTYPE" == "iam" ]]; then 
            secret="IBMCLOUD_APIKEY=$SECRET" 
        else 
            secret="IBMCLOUD_PROFILEID=$SECRET" 
        fi 
    
        encodedValue=$(echo -e "$auth_type\n$secret" | base64) 
        #on certain os, base64 encoding introduces newline, removing the same here. 
        encodedValue=${encodedValue//$'\n'/} 
    
        #fetch the agent pod name 
        agentPodName=$(kubectl get pods -n kube-system | grep ibm-storage-metrics-agent | awk '{print $1}') 
        error "$(date +"%b %d %G %H:%M:%S"):  Unable to fetch ODF agent pod." 
        if [[ "$agentPodName" == "" ]]; then 
            echo "$(date +"%b %d %G %H:%M:%S"):  Error - ibm-storage-metrics-agent pod 
    not found" 
            exit 1 
        fi 
    
        echo "apiVersion: v1 
    data: 
    ibm-credentials.env: $encodedValue 
    kind: Secret 
    metadata: 
    name: ibm-cloud-credentials 
    namespace: kube-system 
    type: Opaque" > ibm-cloud-credentials.yaml 
    
        #create the k8s secret 
        kubectl apply -f ibm-cloud-credentials.yaml &> /dev/null 
        error "$(date +"%b %d %G %H:%M:%S"):  Error creating ibm-cloud-credentials 
    secret." 
        echo "$(date +"%b %d %G %H:%M:%S"):  Created ibm-cloud-credentials secret" 
    
        #restart the ODF agent pod 
        echo "$(date +"%b %d %G %H:%M:%S"):  Restarting $agentPodName pod" 
        kubectl delete pod "$agentPodName" -n kube-system &> /dev/null 
        error "$(date +"%b %d %G %H:%M:%S"):  Error restarting $agentPodName pod in 
    kube-system namespace." 
    
        agentPodStatus= 
        for i in {1..12} 
        do 
            sleep 5 
            agentPodStatus=$(kubectl get pods -n kube-system | grep ibm-storage-metrics-agent | awk '{print $3}') 
            if [[ "$agentPodStatus" == "Running" ]]; then 
                echo "$(date +"%b %d %G %H:%M:%S"):  $i: ODF billing agent is now using 
    ibm-cloud-credentials secret" 
                rm ibm-cloud-credentials.yaml 
                error "Error deleting ibm-cloud-credentials.yaml." 
                exit 0 
            fi 
        done 
    
        error "$(date +"%b %d %G %H:%M:%S"):  Error - ibm-storage-metrics-agent is in 
    $agentPodStatus state" 
    } 
    
    main "$@" 
    
  3. Run the generate-secret.sh script and specify iam or pod-identity as the IBMCLOUD_AUTHTYPE and your PROFILE-ID or API-KEY.

    Example command to run generate-secret.sh by using pod-identity with your trusted profiled ID.

    sh ./generate-secret.sh pod-identity PROFILE-ID
    

    Example command to run generate-secret.sh by using iam with an API key.

    sh ./generate-secret.sh iam API-KEY
    
  4. Restart the agent pods.

    oc delete pod <ibm-storage-metrics-agent> -n kube-sysem
    
  5. Get the logs of the agent pod to verify the driver is using the correct credentials by looking for the secret type in the output. For example,"secret-used":"ibm-cloud-credentials","type":"pod-identity".

    oc logs ibm-storage-metrics-agent-xxx -c storage-secret-sidecar -n kube-system