OpenShift 4 - DevSecOps (1) - 安装 DevOps 环境

《OpenShift 4.x HOL教程汇总》
说明：本文已经在 OpenShift 4.11 和 CRC 4.10 环境中验证

本文创建的环境包含 RHACS、CI/CD Pipeline，Sonarqube，ArgoCD、Nexus、Gogs，可供《OpenShift 4 - DevSecOps - 在 DevSecOps 过程中，借助 RHACS 发现并修复安全隐患 (视频)》演示使用。

安装 Ansible 及其 Python3

1. 执行命令安装 python3 和 Ansible，然后确认 Ansible 使用的是 python3。如果 Ansible 默认使用的 python2，后面有方案说明。

$ sudo yum install python3-pip
$ sudo yum install ansible
$ ansible --version
ansible 2.9.27
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/lab-user/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.6/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 3.6.8 (default, Sep  9 2021, 07:49:02) [GCC 8.5.0 20210514 (Red Hat 8.5.0-3)]

2. 安装 Ansible 模块和 Python 依赖包。

$ ansible-galaxy collection install community.kubernetes
$ pip3 install kubernetes openshift jmespath --user

根据 Ansible Playbook 安装 DevSecOps Workshop 环境

1. 下载 devsecops-demo。

$ git clone https://github.com/liuxiaoyu-git/devsecops-demo && cd devsecops-demo

2. 在登录 OpenShift 后执行安装脚本。

$ oc login --token=TOKEN --server=https://OCP-API-SERVER
$ ./install.sh
 
# INFO: Installing Demo
Using /etc/ansible/ansible.cfg as config file
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'
 
PLAY [Install the ACS Demo] ****************************************************************************************************************************************
 
TASK [Gathering Facts] *********************************************************************************************************************************************
ok: [localhost]
 
TASK [Install Gitops] **********************************************************************************************************************************************
 
。。。。
PLAY RECAP *********************************************************************************************************************************************************
localhost                  : ok=73   changed=27   unreachable=0    failed=0    skipped=3    rescued=0    ignored=0

注意1：如果系统中同时有 python2 和 python3 环境，而 Ansible 缺省使用的并非 python3 环境，可以使用以下命令安装 DevSecOps Workshop 环境。

$ ansible-playbook bootstrap/deploy_demo.yaml -v -e ansible_python_interpreter=/usr/bin/python3.6

注意2：在部署过程中需要下载相关镜像，如果网络慢会使脚本运行超时。此时可以重复执行脚本直到完成部署。
注意3：如果名为 gogs-postgresql 的部署提示无法获取到 “rhel8/postgresql-13:latest” 镜像，可手动将部署中的镜像名调整为 “registry.redhat.io/rhel8/postgresql-13:latest”。

3. 查看安装资源的状态，包括 gogs、nexus、sonarqube、ACS/Stackrox、ArgoCD 等。

$ ./status.sh
 
## GOGS Server - Username/Password: gogs/gogs ##
http://gogs-cicd.apps.cluster-fjprp.fjprp.sandbox1493.opentlc.com
 
## Nexus Server - Username/Password: admin/admin123 ##
https://nexus-cicd.apps.cluster-fjprp.fjprp.sandbox1493.opentlc.com
 
## Sonarqube Server - Username/Password: admin/admin ##
https://sonarqube-cicd.apps.cluster-fjprp.fjprp.sandbox1493.opentlc.com
 
## Reports Server - Username/Password: reports/reports ##
http://reports-repo-cicd.apps.cluster-fjprp.fjprp.sandbox1493.opentlc.com
 
## ACS/Stackrox Server - Username/Password: admin/stackrox ##
https://central-stackrox.apps.cluster-fjprp.fjprp.sandbox1493.opentlc.com
 
## ArgoCD Server - Username/Password: admin/[DEX] ##
https://openshift-gitops-server-openshift-gitops.apps.cluster-fjprp.fjprp.sandbox1493.opentlc.com

4. 可以在 OpenShift 控制台中的 Operator 中查看以下三个 Operator 安装到了所有命名空间中。
   
5. 完成后可以看到在 OpenShift 中有如下项目，并且在 cicd 项目中能看到以下部署的运行环境：
   
6. 查看 cicd 项目中的 DevOps 资源。

$ oc get all -n cicd
NAME                                   READY   STATUS      RESTARTS      AGE
pod/el-webhook-9f8f5d689-qj6xw         1/1     Running     2 (23m ago)   24m
pod/gogs-b5599944f-vx7h4               1/1     Running     0             26m
pod/gogs-postgresql-67b74f7d99-444f9   1/1     Running     0             26m
pod/init-gogs-ctnsb-pod-5zj29          0/1     Completed   0             24m
pod/nexus-68db449d94-ct7pd             1/1     Running     0             26m
pod/reports-repo-6c87bb8988-6nzg7      2/2     Running     0             26m
pod/sonarqube-6795dbdc79-5qm2j         1/1     Running     0             26m
 
NAME                      TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)             AGE
service/el-webhook        ClusterIP   172.30.227.13    <none>        8080/TCP,9000/TCP   24m
service/gogs              ClusterIP   172.30.91.84     <none>        3000/TCP            26m
service/gogs-postgresql   ClusterIP   172.30.75.218    <none>        5432/TCP            26m
service/nexus             ClusterIP   172.30.209.22    <none>        8081/TCP            26m
service/reports-repo      ClusterIP   172.30.188.139   <none>        8080/TCP            26m
service/sonarqube         ClusterIP   172.30.242.248   <none>        9000/TCP            26m
 
NAME                              READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/el-webhook        1/1     1            1           24m
deployment.apps/gogs              1/1     1            1           26m
deployment.apps/gogs-postgresql   1/1     1            1           26m
deployment.apps/nexus             1/1     1            1           26m
deployment.apps/reports-repo      1/1     1            1           26m
deployment.apps/sonarqube         1/1     1            1           26m
 
NAME                                         DESIRED   CURRENT   READY   AGE
replicaset.apps/el-webhook-9f8f5d689         1         1         1       24m
replicaset.apps/gogs-b5599944f               1         1         1       26m
replicaset.apps/gogs-postgresql-67b74f7d99   1         1         1       26m
replicaset.apps/nexus-68db449d94             1         1         1       26m
replicaset.apps/reports-repo-6c87bb8988      1         1         1       26m
replicaset.apps/sonarqube-6795dbdc79         1         1         1       26m
 
NAME                                    HOST/PORT                                                            PATH   SERVICES       PORT            TERMINATION   WILDCARD
route.route.openshift.io/el-webhook     el-webhook-cicd.apps.cluster-fjprp.fjprp.sandbox1493.opentlc.com            el-webhook     http-listener                 None
route.route.openshift.io/gogs           gogs-cicd.apps.cluster-fjprp.fjprp.sandbox1493.opentlc.com                  gogs           <all>                         None
route.route.openshift.io/nexus          nexus-cicd.apps.cluster-fjprp.fjprp.sandbox1493.opentlc.com                 nexus          8081-tcp                      None
route.route.openshift.io/reports-repo   reports-repo-cicd.apps.cluster-fjprp.fjprp.sandbox1493.opentlc.com          reports-repo   8080-tcp                      None
route.route.openshift.io/sonarqube      sonarqube-cicd.apps.cluster-fjprp.fjprp.sandbox1493.opentlc.com             sonarqube      9000-tcp        edge          None

7. 查看 devsecops-dev 项目中的应用资源。

$ oc get all -n devsecops-dev
NAME                                    READY   STATUS    RESTARTS   AGE
pod/spring-petclinic-566fd65d6c-zdvvc   1/1     Running   0          21m
 
NAME                       TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)                      AGE
service/spring-petclinic   ClusterIP   172.30.181.212   <none>        8080/TCP,8443/TCP,8778/TCP   21m
 
NAME                               READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/spring-petclinic   1/1     1            1           21m
 
NAME                                          DESIRED   CURRENT   READY   AGE
replicaset.apps/spring-petclinic-566fd65d6c   1         1         1       21m
 
NAME                                        HOST/PORT                                                                         PATH   SERVICES           PORT       TERMINATION   WILDCARD
route.route.openshift.io/spring-petclinic   spring-petclinic-devsecops-dev.apps.cluster-fjprp.fjprp.sandbox1493.opentlc.com          spring-petclinic   8080-tcp                 None

8. 查看 devsecops-qa 项目中的应用资源。

$ oc get all -n devsecops-qa
NAME                                    READY   STATUS    RESTARTS   AGE
pod/spring-petclinic-566fd65d6c-mng7n   1/1     Running   0          22m
 
NAME                       TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)                      AGE
service/spring-petclinic   ClusterIP   172.30.93.127   <none>        8080/TCP,8443/TCP,8778/TCP   22m
 
NAME                               READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/spring-petclinic   1/1     1            1           22m
 
NAME                                          DESIRED   CURRENT   READY   AGE
replicaset.apps/spring-petclinic-566fd65d6c   1         1         1       22m
 
NAME                                        HOST/PORT                                                                        PATH   SERVICES           PORT       TERMINATION   WILDCARD
route.route.openshift.io/spring-petclinic   spring-petclinic-devsecops-qa.apps.cluster-fjprp.fjprp.sandbox1493.opentlc.com          spring-petclinic   8080-tcp                 None

9. 查看 stackrox 项目中的 ACS/Stackrox 资源。

$ oc get all -n stackrox
NAME                                     READY   STATUS    RESTARTS   AGE
pod/admission-control-6f6fd7c7f7-5bsbj   1/1     Running   0          23m
pod/admission-control-6f6fd7c7f7-ndt9n   1/1     Running   0          23m
pod/admission-control-6f6fd7c7f7-s9dns   1/1     Running   0          23m
pod/central-6b96668d45-rq5wz             1/1     Running   0          24m
pod/collector-27qg7                      2/2     Running   0          23m
pod/collector-bq4kz                      2/2     Running   0          23m
pod/collector-n5qcb                      2/2     Running   0          23m
pod/collector-rq6sw                      2/2     Running   0          23m
pod/collector-vr2tt                      2/2     Running   0          23m
pod/collector-xxbmb                      2/2     Running   0          23m
pod/scanner-7d77d75f6c-n8x7b             1/1     Running   0          24m
pod/scanner-7d77d75f6c-rqjzh             1/1     Running   0          24m
pod/scanner-db-77dd49d98-6jnbp           1/1     Running   0          24m
pod/sensor-59587d6fc9-n645r              1/1     Running   0          23m
 
NAME                        TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)             AGE
service/admission-control   ClusterIP   172.30.154.95    <none>        443/TCP             23m
service/central             ClusterIP   172.30.191.135   <none>        443/TCP             24m
service/scanner             ClusterIP   172.30.81.169    <none>        8080/TCP,8443/TCP   24m
service/scanner-db          ClusterIP   172.30.118.98    <none>        5432/TCP            24m
service/sensor              ClusterIP   172.30.75.139    <none>        443/TCP             23m
service/sensor-webhook      ClusterIP   172.30.232.229   <none>        443/TCP             23m
 
NAME                       DESIRED   CURRENT   READY   UP-TO-DATE   AVAILABLE   NODE SELECTOR   AGE
daemonset.apps/collector   6         6         6       6            6           <none>          23m
 
NAME                                READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/admission-control   3/3     3            3           23m
deployment.apps/central             1/1     1            1           24m
deployment.apps/scanner             2/2     2            2           24m
deployment.apps/scanner-db          1/1     1            1           24m
deployment.apps/sensor              1/1     1            1           23m
 
NAME                                           DESIRED   CURRENT   READY   AGE
replicaset.apps/admission-control-6f6fd7c7f7   3         3         3       23m
replicaset.apps/central-6b96668d45             1         1         1       24m
replicaset.apps/scanner-7d77d75f6c             2         2         2       24m
replicaset.apps/scanner-db-77dd49d98           1         1         1       24m
replicaset.apps/sensor-59587d6fc9              1         1         1       23m
 
NAME                                          REFERENCE            TARGETS   MINPODS   MAXPODS   REPLICAS   AGE
horizontalpodautoscaler.autoscaling/scanner   Deployment/scanner   0%/150%   2         5         2          24m
 
NAME                                    HOST/PORT                                                           PATH   SERVICES   PORT    TERMINATION   WILDCARD
route.route.openshift.io/central        central-stackrox.apps.cluster-fjprp.fjprp.sandbox1493.opentlc.com          central    https   passthrough   None
route.route.openshift.io/central-mtls   central.stackrox                                                           central    https   passthrough   None

安装排错

如果在安装 OpenShift Pipelines Operator 时出现以下错误，会导致安装一直过不去。可以手动安装 OpenShift Pipelines Operator，然后再次运行安装脚本

constraints not satisfiable: no operators found in channel stable of package openshift-pipelines-operator-rh in the catalog referenced by subscription openshift-pipelines-operator, subscription openshift-pipelines-operator

参考

https://github.com/liuxiaoyu-git/devsecops-demo