Secure client deployment: Red Hat OpenShift OperatorHub

Prerequisites

• Firewall ports

  If the secure client is behind a firewall, ensure that all nodes in the cluster can make outbound requests to several external fully qualified domain name and port combinations that are exposed on your SaaS environment. To view the list of fully qualified domain name and port combinations, open the Turbonomic user interface, navigate to Settings > Secure Client Management, and then click the Server Details tab.

  

  If you do not see the Secure Client Management option in the Settings page or if the Server Details tab is empty, log a support ticket and request that Secure Client Management be enabled in your SaaS server.

• Access to IBM Container Registry

  For the self-upgrading probe capability to work, the client environment must be able to pull new images from the IBM Container Registry, if not using a private registry.

  Add the following address to the allowlist for all nodes of the cluster:

  https://icr.io
  https://*.icr.io

  Note:

  Access to IBM Container Registry is mandatory to install the Turbonomic secure client and receive regular updates.

• Red Hat OpenShift cluster console access

  • Ensure you have log in access to the Red Hat OpenShift cluster console.

  • Create a new project in the Red Hat OpenShift cluster.

    This project is used throughout the installation process. All of the resources installed later, including the Turbonomic secure client, must be installed in this project (namespace).

    1. Navigate to Home > Projects.

    2. On the Projects page, click Create Project.

    3. Enter the name of the project (for example, turbonomic) and click Create.

Installing the secure client operator

1. Navigate to Operators > OperatorHub.

2. In the Filter by keyword box, enter Turbonomic Secure Connect Client to find and select the Turbonomic secure client (Turbonomic Secure Connect Client).

3. On the Turbonomic Secure Connect Client page, read the information about the Operator and click Install.

4. On the Install Operator page, ensure the Installed namespace is the same as the project you created earlier during the prerequisites steps, for example turbonomic. Do not modify any other default configuration settings so that the operator configuration is as follows:

   • Update channel: stable

   • Installation mode: A specific namespace on the cluster

   • Installed namespace: turbonomic

   • Update approval: Automatic

   Note:

   The Update approval must be set to Automatic to keep the secure client components (probes and tunnel) in sync with the server.

5. Click Install.

6. Once the Operator installs and you see "Installed operator - ready for use," click View Operator or select Operators > Installed Operators to view the Turbonomic Secure Connect Client operator.

7. Apply the Turbonomic Client custom resource.

   1. On the Installed Operator page, click the Details tab for the Turbonomic Secure Connect Client operator.

   2. On the Details tab, under Provided APIs, click Create Instance for the Turbonomic Client API.

   3. Ensure the selected Project is the same one in which you installed the Turbonomic Secure Connect Client operator.

   4. Click Create to create an instance of the TurbonomicClient API.

8. Apply the VersionManager custom resource.

   1. On the Installed Operator page, click the Details tab for Turbonomic Secure Connect Client operator.

   2. On the Details tab, under Provided APIs, click Create Instance for the Version Manager API.

   3. On the Create VersionManager page, ensure the selected Project is the same one in which you installed the Turbonomic Secure Connect Client operator.

   4. Click Create to create an instance of the VersionManager API.

Establishing a secure connection between the secure client and the SaaS server

To establish a secure connection between the secure client and the SaaS server, create and apply a token to the secure client. If you have not been provided the URL or login credentials of your SaaS server, contact your Turbonomic representative before proceeding.

1. Create a new token.

   1. Log in to your SaaS server.

   2. Click Settings > Secure Client Management.

   3. Select the Client Network Tokens tab and click Create token.

   4. On the Create token dialog, configure the claim limit and the lifespan for the token.

      To increase the security of the token, use low values during token creation.

      

      Claim limit

      The claim limit of a token is the number of clients that can be added by using the same token. If you need to connect multiple clients with the same token, increase the claim limit to match the number of clients to be added.

      Lifespan

      The lifespan of a token is the amount of time before the token expires. An expired token cannot be used to add a client.

      An example where the same token can be used for multiple clients is Kubeturbo. If there are many Kubeturbo agents to be connected, it may be convenient to generate one token and apply the same token to each Kubeturbo agent. In this case, increase the claim limit to match the number of Kubeturbo agents to be added and increase the lifespan to allow enough time for the token to be applied to all agents.

   5. Click Create.

      Download the token value or copy the token to the clipboard.

2. Apply the token to the secure client.

   After you create the token, it must be applied as a Kubernetes Secret within the same Red Hat OpenShift project as your secure client.

   1. On the Red Hat OpenShift UI, navigate to Workloads > Secrets.

   2. Click Create > From YAML, which is displayed on the upper-right side of the Secrets window.

   3. Replace the existing content with the token you generated in the UI and click Create.

      For reference, the JSON output should be similar to the following example:

      {
      "apiVersion": "v1",
      "data": {
      "ca.crt": "<base64 encoded certificate>",
      "password": "<base64 encoded password>"
      },
      "kind": "Secret",
      "metadata": {
      "annotations": {
      "skupper.io/generated-by": "aa7e96fe-bbcb-48b2-b2ce-a6a87b12a53d",
      "skupper.io/site-version": "1.2.4",
      "skupper.io/url": "<URL of SaaS instance used for token exchange>"
      },
      "labels": {
      "skupper.io/type": "token-claim"
      },
      "name": "5c3155c7-5a04-11ed-a12e-92430b25f882"
      }
      }

3. Verify that the connection was established.

   If the connection was successful, the remote-nginx-tunnel and remote-rsylog services will be visible on the Services page.

   1. Navigate to Networking > Services.

   2. In the Filter by name box, enter remote.

   3. Review to ensure the remote-nginx-tunnel and remote-rsylog services are visible.

Enabling and adding targets

Enable any required probes then add the target to your SaaS server. For a list of supported targets, see Managing On-prem Targets using the Secure Client.

1. Navigate to Installed Operators > Turbonomic Secure Connect Client > TurbonomicClient tab.

2. On the TurbonomicClient page, select the YAML view to display the Custom Resource YAML file editor.

3. Edit the Custom Resource YAML resource to enable probes.

   Find the spec: section followed by probes:. Then, find a probe and set the value for enabled to true. All target probes need to be configured in the YAML resource by using the formatting shown in the following example:

   spec:
     global:
       version: 8.15.0
     probes:
       actionScript:
         enabled: false
       appDynamics:
         enabled: true
       ...

   Note:

   To disable a probe, set the value for enabled to false.

4. Save and apply your changes to the platform.

5. Log in to your SaaS server and add the target.

   1. Log in to your SaaS server.

   2. Navigate to Settings > Target Configuration.

   3. Click New Target, select the target type, and then select the target.

   4. Provide the required information and add the target. See the Target Configuration topic for the target for additional information.