Setting up trusted profiles for the OpenShift Data Foundation add-on
Virtual Private Cloud Classic clusters
You can use trusted profiles to limit the access that running pods in your cluster have to other resources in your account or cluster. For more information about trusted profiles, see Creating trusted profiles.
Enabling the OpenShift Data Foundation add-on
-
Enable the add-on in your cluster. Review the Parameter Reference.
Example command:
ibmcloud oc cluster addon enable openshift-data-foundation -c <cluster-name> --version 4.X.X
-
Verify that the add-on state is
normal
and the status isready
.ibmcloud oc cluster addon ls --cluster CLUSTER-ID
-
Verify that the metrics agent pod is deployed and the status is
Running
.kubectl get pods -n kube-system | grep ibm-storage-metrics-agent
Example output:
ibm-storage-metrics-agent-644cd95b5b-rh2gd 2/2 Running 0 7h42m
Setting up trusted profiles
-
Follow the steps to create a trusted profile. In the Conditions for the profile, be sure to specify the following access.
- Allow access when Namespace equals
kube-system
- Satellite Service Roles - Satellite Link Administrator, Reader
- Kubernetes Service Roles - Manager, Editor
- Billing Service Roles - Reader, Operator
- Allow access when Namespace equals
-
After you create your trusted profile, copy the ID from the Trusted profiles page in the console.
-
Decide if you want to use the Profile ID or an API key in the Kubernetes secret that the add-on uses. You can create the secret by using the ID or API key for the trusted profile. Save the following text and enter your credentials. You can follow the steps to create the secret manually or you can use the shell script to automatically create the secret in your cluster.
Example credentials with pod identity:
IBMCLOUD_AUTHTYPE=pod-identity IBMCLOUD_PROFILEID=<TRUSTED-PROFILE-ID>
Example credentials with an API key.
IBMCLOUD_AUTHTYPE=iam IBMCLOUD_APIKEY=<API-KEY>
-
Encode the credentials to base64.
echo -n "IBMCLOUD_AUTHTYPE=<IAM-OR-POD-IDENTITY> IBMCLOUD_APIKEY=<API-KEY>" | base64
-
Create a secret in your cluster that contains the credentials for the trusted profile. Save the following YAML to a file called
ibm-cloud-credentials.yaml
. In theibm-credentials.env:
field, enter the base64 encoded API key or the ID of trusted profile.apiVersion: v1 data: ibm-credentials.env: # Trusted profile ID kind: Secret metadata: name: ibm-cloud-credentials namespace: kube-system type: Opaque
-
Create the secret in your cluster.
kubectl apply -f ibm-cloud-credentials.yaml
-
Restart the agent pods.
kubectl delete pod <ibm-storage-metrics-agent> -n kube-system>
Automatically creating a secret by using a Shell script
-
Follow the steps to create a trusted profile. In the Conditions for the profile, be sure to specify the following access.
- Allow access when Namespace equals
kube-system
- Satellite Service Roles - Satellite Link Administrator, Reader
- Kubernetes Service Roles - Manager, Editor
- Billing Service Roles - Reader, Operator
- Allow access when Namespace equals
-
Save the following script to a file called
generate-secret.sh
.IBMCLOUD_AUTHTYPE= SECRET= error() { if [[ $? != 0 ]]; then echo "$1"; exit 1 fi } #validate_arguments validates the arguments provided to the script validate_arguments() { if [[ "$#" -eq 1 ]]; then if [[ "$1" == "-h" ]] || [[ "$1" == "--help" ]]; then usage; exit 1 fi fi #number of arguments provided to the script must be 2 if [[ "$#" -ne 2 ]]; then echo "Invalid number of arguments provided" usage; exit 1 fi #1st argument must be 'iam' or 'pod-identity' if [[ "$1" != "iam" ]] && [[ "$1" != "pod-identity" ]]; then echo "Provide a valid auth-type" usage; exit 1 fi IBMCLOUD_AUTHTYPE=$1 SECRET=$2 } #usage - prints the usage for execution of script usage() { echo "USAGE: bash generate-secret.sh <auth-type> <apikey/profile-id> auth-type: auth-type should be either iam or pod-identity. Provide iam to use api key, pod-identity to use trusted profile" } #main main() { validate_arguments "$@" auth_type="IBMCLOUD_AUTHTYPE=$IBMCLOUD_AUTHTYPE" secret= if [[ "$IBMCLOUD_AUTHTYPE" == "iam" ]]; then secret="IBMCLOUD_APIKEY=$SECRET" else secret="IBMCLOUD_PROFILEID=$SECRET" fi encodedValue=$(echo -e "$auth_type\n$secret" | base64) #on certain os, base64 encoding introduces newline, removing the same here. encodedValue=${encodedValue//$'\n'/} #fetch the agent pod name agentPodName=$(kubectl get pods -n kube-system | grep ibm-storage-metrics-agent | awk '{print $1}') error "$(date +"%b %d %G %H:%M:%S"): Unable to fetch ODF agent pod." if [[ "$agentPodName" == "" ]]; then echo "$(date +"%b %d %G %H:%M:%S"): Error - ibm-storage-metrics-agent pod not found" exit 1 fi echo "apiVersion: v1 data: ibm-credentials.env: $encodedValue kind: Secret metadata: name: ibm-cloud-credentials namespace: kube-system type: Opaque" > ibm-cloud-credentials.yaml #create the k8s secret kubectl apply -f ibm-cloud-credentials.yaml &> /dev/null error "$(date +"%b %d %G %H:%M:%S"): Error creating ibm-cloud-credentials secret." echo "$(date +"%b %d %G %H:%M:%S"): Created ibm-cloud-credentials secret" #restart the ODF agent pod echo "$(date +"%b %d %G %H:%M:%S"): Restarting $agentPodName pod" kubectl delete pod "$agentPodName" -n kube-system &> /dev/null error "$(date +"%b %d %G %H:%M:%S"): Error restarting $agentPodName pod in kube-system namespace." agentPodStatus= for i in {1..12} do sleep 5 agentPodStatus=$(kubectl get pods -n kube-system | grep ibm-storage-metrics-agent | awk '{print $3}') if [[ "$agentPodStatus" == "Running" ]]; then echo "$(date +"%b %d %G %H:%M:%S"): $i: ODF billing agent is now using ibm-cloud-credentials secret" rm ibm-cloud-credentials.yaml error "Error deleting ibm-cloud-credentials.yaml." exit 0 fi done error "$(date +"%b %d %G %H:%M:%S"): Error - ibm-storage-metrics-agent is in $agentPodStatus state" } main "$@"
-
Run the
generate-secret.sh
script and specifyiam
orpod-identity
as theIBMCLOUD_AUTHTYPE
and yourPROFILE-ID
orAPI-KEY
.Example command to run
generate-secret.sh
by usingpod-identity
with your trusted profiled ID.sh ./generate-secret.sh pod-identity PROFILE-ID
Example command to run
generate-secret.sh
by usingiam
with an API key.sh ./generate-secret.sh iam API-KEY
-
Restart the agent pods.
oc delete pod <ibm-storage-metrics-agent> -n kube-sysem
-
Get the logs of the agent pod to verify the driver is using the correct credentials by looking for the
secret type
in the output. For example,"secret-used":"ibm-cloud-credentials","type":"pod-identity"
.oc logs ibm-storage-metrics-agent-xxx -c storage-secret-sidecar -n kube-system