Before You Install CN2 Pipelines
SUMMARY The following procedures will help you obtain some prerequisites and some values used
to fill the values.yaml file for the CN2 Pipelines Helm chart.
Install Helm
Before installing the CN2 Pipelines chart, you need to install Helm 3 in the management cluster. Helm helps you manage Kubernetes applications. Helm charts help you define, install, and upgrade even the most complex Kubernetes application.
Run the following command to download and install the latest version of Helm 3:
curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 chmod 700 get_helm.sh ./get_helm.sh
Create Service Account and Token in Kubernetes
You need a working service account. Creating a service account and token are important to give the Kubernetes cluster access within and outside of the CN2 Pipelines using APIs. This topic describes how to create the service account, token, role, and role bindings.
Throughout these procedures, cn2pipelines is used as an
example.
For Kubernetes Version 1.23 or Earlier
Perform these steps on the CN2 cluster.
To create a service account and token:
-
Create the namespace if one does not already exist.
kubectl create ns cn2pipelines
-
Create a service account named
cn2pipelines.kubectl create sa cn2pipelines -n cn2pipelines
-
Run the
describecommand to fetch the token.kubectl describe sa cn2pipelines -n cn2pipelines
Output:
Name: cn2pipelines Namespace: cn2pipelines Labels: <none> Annotations: <none> Image pull secrets: <none> Mountable secrets: cn2pipelines-token-5szb6 Tokens: cn2pipelines-token-5szb6 Events: <none>By default, Kubernetes version 1.23 or earlier creates the token as a secret when you create the service account.
-
To obtain the secret value and
bearerTokenfor Kubernetes and OpenShift:-
For CN2 with Kubernetes, retrieve the
Mountable secretsfrom the Step 3 output. Run the describe secret command to get thebearerTokenfor the service account. ThebearerTokenis needed when you update thevalues.yamlfile.kubectl describe secret cn2pipelines-token-5szb6 -n cn2pipelines
Output:
Name: cn2pipelines-token-5szb6 Namespace: cn2pipelines Labels: <none> Annotations: kubernetes.io/service-account.name: cn2pipelines kubernetes.io/service-account.uid: e5059023-7269-482a-870c-5c4ff175ba00 Type: kubernetes.io/service-account-token Data ==== namespace: 10 bytes token: eyJhbGciOiJSUzI1NiIsImtpZCI6InZQMkxOcWlOQjg5MElySUtiWGpPTWJVVGZNR3FQS3hnUDhyTDFHZjd3VFkifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJjaS1qZW5raW5zIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImNpLWplbmtpbnMtdG9rZW4tNXN6YjYiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiY2ktamVua2lucyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImU1MDU5MDIzLTcyNjktNDgyYS04NzBjLTVjNGZmMTc1YmEwMCIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpjaS1qZW5raW5zOmNpLWplbmtpbnMifQ.DeAySlkf7dW6xzUH5bLeXc2lRPa_RMZ2bG4zGktpHyA2eDdM-nliCTpwhuBPbZ2fNeiaZb3Tl8h-MJNF7IygwXEHjW8ALfvUv4nBnmSMj9JW44PoPeMSCAnrtIXucy8hcGZN4K6i1w2n6ASSYAXyifwMOLy3-KfbY9PYErOb0eC34-cHkP-TQoV0o4ncA58kwOwut2DmkIKfH3gsOAY445wO4_WUeYuqO_JU0uQpyPaCRO9sLDhMlVcnp0TI7hvZu_DbVyRhy4b8QqJEj3h08j0lPGvFhvmCcUqTSLXbVtV9o62cqhd1q9pcFq5yAxmYpuwWjkOP8KuIsf71U070_w ca.crt: 1099 bytes -
For CN2 with Red Hat OpenShift, use the image to pull secrets as a secret value. Run the describe secret command to get the
bearerTokenfor the service account. ThebearerTokenis needed when you update thevalues.yamlfile.kubectl get secret cn2pipelines-dockercfg-445hx -n cn2pipelines -o yaml
Output:
apiVersion: v1 data: .dockercfg: e30= kind: Secret metadata: annotations: kubernetes.io/service-account.name: cn2pipelines kubernetes.io/service-account.uid: 38b98d44-334e-4fce-ba90-afe6eae1f644 openshift.io/token-secret.name: cn2pipelines-token-n5qwb openshift.io/token-secret.value: eyJhbGciOiJSUzI1NiIsImtpZCI6ImZ5aVVpQURJUzU1YThqV3ZUME43UGxiX1JhR0hoYnhZd25GMkpBX2g3UzAifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJjaS1qZW5raW5zIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImNpLWplbmtpbnMtdG9rZW4tbjVxd2IiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiY2ktamVua2lucyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjM4Yjk4ZDQ0LTMzNGUtNGZjZS1iYTkwLWFmZTZlYWUxZjY0NCIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpjaS1qZW5raW5zOmNpLWplbmtpbnMifQ.Zj5Bs8Y8h4GL0o-p7rhnJcPeYdbcoVpfM0oRMHky3KUQuTAb5ZjwV3o-h0e-hZlQC_TpI4kNotijEoFiwKU_mYPr9bY36EBngUZp41BiqSwiY_5qG_wYDd6Dg_Xh6C5n4eagBN8OAi9IXlM3SYH9hgGmEx-dqoXhlGdxCht_JPWoDXbKq0eFU_mtUlqjMU0p__g1VoQ1svlRCUvRsfI8OxIM5jd7qPC3NqkpHlK1I5BHQaScWdjihaTo7OpK-zkcgenSjq882Okw4UxsttFgJZ5iF7hHLcMWtVi-pX4SVl2pdHi8H7DxD4YDiZD3xUJapRpRvnHqNsDvoXXonWBOskW4JE86t95Z5Z7lIHNPpvftajxc3qky6hBW0-1yfpgK36Df2g3OGGrVm16S31wl1K6y7oUu6Py5B4BM5qcge7J9wNTNRMezuomt38SyqyuaCt8SBL-dtc_8bAhKLnMZ7Vr_kGHCDSGBeO_7BaH9dqhb85-oyC_mKHA8F_5xmC4wZ7bBDhMRN9lAoKePK6p1toz1Ca395_w83ib5zGxMfD9C-hskYNrkhCPJwS00_s_QXQdXnnzhc0_C2K9KqZk1qE8A2zmlbaxtcP_PrMMhS5H0bs2i8n88kZO74H7AmPk8HRx0oLG5Ue8Oh8F5x9Ua5M4WuZSfmN5jXlSVdCvtqQY creationTimestamp: "2023-03-17T17:32:11Z" name: cn2pipelines-dockercfg-445hx namespace: cn2pipelines ownerReferences: - apiVersion: v1 blockOwnerDeletion: false controller: true kind: Secret name: cn2pipelines-token-n5qwb uid: a02b6e19-db50-4d27-9b29-b33a60ad47c9 resourceVersion: "1132721" uid: 723f8808-2fd5-49e6-8012-9fbab8962b47 type: kubernetes.io/dockercfg
-
-
Create a ClusterRole and ClusterRoleBinding to give the service account appropriate permissions.
-
Create a ClusterRole and name the file
clusterrole-cn2pipelines.yaml.apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: name: cn2pipelines name: cn2pipelines rules: - apiGroups: - '*' resources: - '*' verbs: - '*' - nonResourceURLs: - '*' verbs: - '*' -
Apply the
clusterrole-cn2pipelines.yamlfile that you just created.kubectl apply -f clusterrole-cn2pipelines.yaml -n cn2pipelines
-
Create a ClusterRoleBinding file and name the file
clusterrolebinding-cn2pipelines.yaml.apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: name: cn2pipelines name: cn2pipelines roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cn2pipelines subjects: - kind: ServiceAccount name: cn2pipelines namespace: cn2pipelines -
Apply the
clusterrolebinding-cn2pipelines.yamlfile that you just created.kubectl apply -f clusterrolebinding-cn2pipelines.yaml -n cn2pipelines
The service account is now created with permissions.
-
For Kubernetes Version 1.24 or Later
For Kubernetes version 1.24 and later, creating a service account does not create a secret automatically.
To manually create a token for this service account:
-
Create the namespace if one does not already exist.
kubectl create ns cn2pipelines
-
Create a service account named
cn2pipelines.kubectl create sa cn2pipelines -n cn2pipelines
-
Create a token for the service account
cn2pipelines.kubectl create token cn2pipelines -n cn2pipelines --duration=999999h
-
Create a ClusterRole and ClusterRoleBinding to give the service account appropriate permissions.
-
Create a ClusterRole and name the file
clusterrole-cn2pipelines.yaml.apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: name: cn2pipelines name: cn2pipelines rules: - apiGroups: - '*' resources: - '*' verbs: - '*' - nonResourceURLs: - '*' verbs: - '*' -
Apply the
clusterrole-cn2pipelines.yamlfile that you just created.kubectl apply -f clusterrole-cn2pipelines.yaml -n cn2pipelines
-
Create a ClusterRoleBinding file and name the file
clusterrolebinding-cn2pipelines.yaml.apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: name: cn2pipelines name: cn2pipelines roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cn2pipelines subjects: - kind: ServiceAccount name: cn2pipelines namespace: cn2pipelines -
Apply the
clusterrolebinding-cn2pipelines.yamlfile that you just created.kubectl apply -f clusterrolebinding-cn2pipelines.yaml -n cn2pipelines
The service account is now created with permissions.
-
-
Run the
describecommand to fetch the token.kubectl describe sa cn2pipelines -n cn2pipelines
Output:
Name: cn2pipelines Namespace: cn2pipelines Labels: <none> Annotations: <none> Image pull secrets: <none> Mountable secrets: cn2pipelines-token-5szb6 Tokens: cn2pipelines-token-5szb6 Events: <none> -
Retrieve the
Mountable secretsoutput in Step 5. Run thedescribe secretcommand to get thebearerTokenfor the service account.kubectl describe secret cn2pipelines-token-5szb6 -n cn2pipelines
Output:
Name: cn2pipelines-token-5szb6 Namespace: cn2pipelines Labels: <none> Annotations: kubernetes.io/service-account.name: cn2pipelines kubernetes.io/service-account.uid: e5059023-7269-482a-870c-5c4ff175ba00 Type: kubernetes.io/service-account-token Data ==== namespace: 10 bytes token: eyJhbGciOiJSUzI1NiIsImtpZCI6InZQMkxOcWlOQjg5MElySUtiWGpPTWJVVGZNR3FQS3hnUDhyTDFHZjd3VFkifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJjaS1qZW5raW5zIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImNpLWplbmtpbnMtdG9rZW4tNXN6YjYiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiY2ktamVua2lucyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImU1MDU5MDIzLTcyNjktNDgyYS04NzBjLTVjNGZmMTc1YmEwMCIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpjaS1qZW5raW5zOmNpLWplbmtpbnMifQ.DeAySlkf7dW6xzUH5bLeXc2lRPa_RMZ2bG4zGktpHyA2eDdM-nliCTpwhuBPbZ2fNeiaZb3Tl8h-MJNF7IygwXEHjW8ALfvUv4nBnmSMj9JW44PoPeMSCAnrtIXucy8hcGZN4K6i1w2n6ASSYAXyifwMOLy3-KfbY9PYErOb0eC34-cHkP-TQoV0o4ncA58kwOwut2DmkIKfH3gsOAY445wO4_WUeYuqO_JU0uQpyPaCRO9sLDhMlVcnp0TI7hvZu_DbVyRhy4b8QqJEj3h08j0lPGvFhvmCcUqTSLXbVtV9o62cqhd1q9pcFq5yAxmYpuwWjkOP8KuIsf71U070_w ca.crt: 1099 bytes
Verify Kubeconfig
Before creating the kubeconfig file as base64, verify kubeconfig works from the management cluster.
Create CN2 Cluster Kubeconfig as Base64
You will need the kubeconfig as a base64 format file for the
values.yaml.
Create a Personal Access Token for GitLab
To create a personal access token, use the following procedure from GitLab:
Mountpath and Profiles
You need to put the mountpath in a mountpath folder, then create your profiles in the
mountpath folder. For example, if your mountpath is
/opt/cn2_workflows as defined in the
values.yaml, you will create a folder named
/opt/cn2_workflows.
Create a Sample ConfigMap in Git Server Folder
You need to create a sample ConfigMap before installing the CN2 Pipelines. This ConfigMap will get applied by Argo CD as part of the CN2 Pipelines installation.
Apply Ingress and Update /etc/hosts for an OpenShift Deployment
Perform these steps on the CN2 cluster to deploy the ingress components, as mentioned in the Additional Prerequisites Only for OpenShift.