This document describes how to install Dev Sandbox in a development environment.
Ensure you have access to an OpenShift 4.6+ cluster with cluster admin privileges and log in using oc login
Install the required tools.
Configure authentication for the cluster using one of the following options:
Option #1: Contact a member of the Dev Sandbox Team for instructions on how to configure the cluster to use our internal Dev SSO.
Option #2: Configure your own Keycloak server and set up authentication on the OpenShift cluster: https://docs.openshift.com/container-platform/4.6/authentication/configuring-internal-oauth.html
Option #3: Deploy and configure keycloak internally as part of the cluster. Just add DEV_SSO=true
parameter to the dev
targets. For eg.: make dev-deploy-latest DEV_SSO=true
will deploy latest version of the operators with a preconfigured keycloak instance and one default keycloak user [email protected]
with password user1
.
If you are presented with the following error, then you need to accept the self-signed certificate of the dev Keycloak instance first. Go to `https://keycloak-<dev-sso-namespace>.<domain>/auth (the complete link is printed out at the end of the command) and accept the certificate.:
Note
|
This third option only works with OCP and CRC clusters atm. |
It is strongly recommended to remove the self-provisioner role to disallow users from creating their own namespaces. This is because the Dev Sandbox is designed to create/manage namespaces for users automatically. It creates these namespaces based on predefined templates that also define resource limits so only these namespaces should be accessible to Dev Sandbox users.
Run the following commands:
oc patch clusterrolebinding.rbac self-provisioners -p '{"subjects": null, "metadata": {"annotations":{"rbac.authorization.kubernetes.io/autoupdate": "false"}}}'
oc adm policy remove-cluster-role-from-group self-provisioner system:authenticated:oauth
Clone this repository
git clone [email protected]:codeready-toolchain/toolchain-e2e.git
This repository provides you multiple Makefile targets that you can use - it depends on which version of Dev Sandbox operators you want to install.
Note
|
If the cluster is an OSD cluster, then set the variable IS_OSD=true when running any of the Makefile targets (for example: make appstudio-dev-deploy-latest IS_OSD=true ).
|
Important
|
Make note of the Registration Service URL that is printed at the end of the target execution. |
Run the following to install the latest greatest Sandbox operators in dev mode:
make dev-deploy-latest
Run the following to install the latest greatest Sandbox operators in dev mode for AppStudio environment:
make appstudio-dev-deploy-latest
If you want to install a local version of any of the Sandbox operators in dev mode then:
-
Run any from the following commands:
# To deploy local versions of all repositories:
make dev-deploy-e2e-local
# To deploy local version only of the host-operator repo:
make dev-deploy-e2e-host-local
# To deploy local version only of the member-operator repo:
make dev-deploy-e2e-member-local
# To deploy local version only of the registration-service repo:
make dev-deploy-e2e-registration-local
-
Run
oc get toolchainstatus -n toolchain-host-operator
and ensure the Ready status isTrue
NAME MURS READY LAST UPDATED toolchain-status 0 True 2021-03-24T22:39:36Z
-
Open the Registration Service URL in a browser and sign up for an account.
-
Wait for the message "Your OpenShift Developer Sandbox account is waiting for approval"
Manual approval means each usersignup must be approved by editing the usersignup resource for a particular user.
-
Run the following command to get the name of the usersignup resource:
oc get usersignup
The name should be a UUID eg. 66e54c45-9868-4a25-81ca-d56b600c8491
-
Approve the usersignup
oc patch usersignup -p '{"spec":{"states":["approved"]}}' --type=merge <usersignup name> -n <host operator namespace>
Automatic approval means enabling automatic approval in the Dev Sandbox configuration. Users will be automatically approved and provisioned without admin intervention.
-
Enable automatic approval
oc patch ToolchainConfig -p '{"spec":{"host":{"automaticApproval":{"enabled":true}}}}' --type=merge config -n <host operator namespace>
After approval the registration service will display a link to start using the Sandbox. The link will go to the user’s Dev Console, but first, a login page will appear with two options.:
Option #1: kube:admin
Option #2: The authentication method configured in the Authentication step
Select option 2 and log in using the same account used from the [Register/Login via the Registration Service] step.
After logging in a user will have access to only the namespaces created for them.