Vault Deployment on Openshift

Import Vault Official Image from DockerHub.

$ oc import-image vault:latest --confirm -n <Namespace>

Verify the Image stream presence in the Desired namespace.

$ oc get is

Deploy the image stream using below command:

$ oc new-app vault:latest

Create new service account with the name "vault"

$ oc create sa vault

Assign anyuid access to the service account created 

Note: You need to have cluster admin rights to run this command.

$ oc adm policy add-scc-to-user anyuid -z vault

Edit the deployment yaml file using the below command and add the service account details in the specifications.

$ oc edit dc/vault -o yaml

Once the editor opens add the below two lines

      serviceAccount: vault

      serviceAccountName: vault

Add the below two environmental variables to the deployment yaml file to run the image as vault user.

$ oc set env dc/vault SKIP_CHOWN=true SKIP_SETCAP=true

Deploy the changes using below command:

$ oc rollout latest vault

That's all! Pod should be up and running , service and route can be created to access the Vault application externally.

Connection to Backend service from Frontend Route in Openshift using proxypass method

Connection to Back end service from Front end Route in Openshift using proxypass rule:

We all know service object is used to connect the front end application to the back end application . Similarly route object when accessing outside the cluster.

Here i am going to show about how we can connect to back end application (not exposed as route) from front end application outside the cluster.


As we need to understand in reality back end application should not be exposed outside the cluster as route. This can be done using front end Apache configuration (pod running in the same cluster where back end pod is running).

 The FE Apache server other than returning the angular sources , it should also be configure to reverse proxy. So every call to the back end will passthrough the route of the front end.

Ex: Let us assume the Front end application is available as route and running in the path
       https://hpvbalaji.blogspot.com/
      So here every call to https://hpvbalaji.blogspot.com/api  should be a reverse proxy request to the back end .
  Here Apache will be configured to call the service of the back end every time it get's a call to the https://hpvbalaji.blogspot.com/api. By doing this no need to expose the back end service as route.

......I know it's quite difficult to understand with the above example , let me show the Apache configuration now so that u guys can understand better.....

1. Navigate to /etc/httpd/conf.d Directory or  /etc/httpd/httpd.conf file
2. Add the below two lines in the httpd configuration file.

               <VirtualHost *:80>

           ServerName sub.domain.com

           ServerAdmin me@domain.com

           <Proxy *>

            Order deny,allow

            Allow from all

       

           </Proxy>

 

           ProxyPass /api/ http://backend:8080/

   ProxyRequests Off

           ProxyPreserveHost On

       </VirtualHost>

    Note: back end is the service name of the back end pod.

3. Here in case of openshift we can create volume with the below command using configmap and mount this new modified Apache configuration file on the container file system as below.

          oc set volume dc/frontend --add --name=httpdconf --type=configmap --configmap-                              name=kerberos-auth --mount-path=/etc/httpd/conf.d/

More infomation on Proxy pass can be found here: https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxypassreverse

Chaos Engineering on Openshift

Chaos Engineering on Openshift🌝

    Reliability and high availability are key features of Openshift, but even the most resilient systems can fail..... Applications crash, hardware breaks, and nodes can go offline. These failures can have damaging and unpredictable consequences for organizations, especially those that are unprepared. Don't worry folks!! we have Chaos engineering for that. So here is my blog which shows the installation part of one of the popular tool in chaos i.e., Gremlin .

Gremlin Installation:

Pre-requisite:

1. Create your gremlin account using below link :

     https://app.gremlin.com/signup

• To install Gremlin Openshift clients, you will need your Gremlin Team ID and Secret Key. Visit the Teams page in Gremlin, and then click on your team’s name in the list.
• Make a note of your Team ID.If you don’t know your Secret Key, you will need to reset it. Click the Reset button. You’ll get a popup reminding you that any running clients using the current Secret Key will need to be configured with the new key. Hit Continue. Next you’ll see a popup screen that will show you the new Secret Key. Make a note of it.
• Gremlin allows targeting objects within your Openshift clusters. After selecting a cluster, you can filter the visible set of objects by selecting a namespace. Select any of your Deployments, ReplicaSets, StatefulSets, DaemonSets, or Pods. When one object is selected, all child objects will also be targeted. 

Installation:

• Download the Gremlin configuration manifest by running the following:

            wget https://k8s.gremlin.com/resources/gremlin-conf.yaml

• Open the file and update the following:

       Replace the following line with your team ID: "YOUR TEAM ID GOES HERE"

      Replace the following line with your team secret: "YOUR TEAM SECRET GOES HERE"

      Replace the following line with a string that you will use to identify your  cluster:                               "YOUR UNIQUE CLUSTER NAME GOES HERE"

• Apply the manifest with this command:

            oc apply -f /path/to/gremlin-conf.yaml

• Download and apply the gremlin client manifest on your Openshift cluster by running the following:

            wget https://k8s.gremlin.com/resources/gremlin-client-secret.yaml

            oc apply -f https://k8s.gremlin.com/resources/gremlin-client-secret.yaml

• Download and apply Openshift clients manifest to find the resources at the cluster scope:

            wget https://k8s.gremlin.com/resources/gremlin-chao-secret.yaml

             oc apply -f https://k8s.gremlin.com/resources/gremlin-chao-secret.yaml

• After running above scripts in your OpenShift cluster and when you go back to the gremlin dashboard where you can see the Openshift nodes and all of its resources from where the attacks can be done.

Done...😊Here we go with Gremlin Chaos experiments on our Openshift clusters.

Keep following my blog . As i am going to come with the 5 best Chaos experiments on Openshift cluster in my upcoming blog.