Chapter 7. Containers Providers

A containers provider is a service that manages container resources, that can be added to the Red Hat CloudForms appliance.

CloudForms can connect to OpenShift Container Platform containers providers and manage them similarly to infrastructure and cloud providers. This allows you to gain control over different aspects of your containers environment and answer questions such as:

  • How many containers exist in my environment?
  • Does a specific node have enough resources?
  • How many distinct images are used?
  • Which image registries are used?

When CloudForms connects to a container’s environment, it collects information on different areas of the environment:

  • Entities such as pods, nodes, or services.
  • Basic relationships between the entities, for example: Which services are serving which pods?
  • Advanced insight into relationships, for example: Which two different containers are using the same image?
  • Additional information, such as events, projects, routes, and metrics.

You can manage policies for containers entities by adding tags. All containers entities except volumes can be tagged.

Note

This chapter provides details on managing containers providers. For details on working with the resources within a container environment, see Container Entities in Managing Infrastructure and Inventory.

The CloudForms user interface uses virtual thumbnails to represent containers providers. Each thumbnail contains four quadrants by default, which display basic information about each provider:

cp quad icon

  1. Number of nodes
  2. Container provider software
  3. Power state
  4. Authentication status

Table 7.1. Containers provider authentication status

IconDescription

2190

Validated: Valid authentication credentials have been added.

2191

Invalid: Authentication credentials are invalid.

2192

Unknown: Authentication status is unknown or no credentials have been entered.

7.1. Obtaining an OpenShift Container Platform Management Token

When deploying OpenShift using openshift-ansible-3.0.20 (or later versions), the OpenShift Container Platform service account and roles required by Red Hat CloudForms are installed by default.

Note

See the OpenShift Container Platform documentation for a list of the default roles.

Run the following to obtain the token needed to add an OpenShift Container Platform provider: 

# oc sa get-token -n management-infra management-admin
eyJhbGciOiJSUzI1NiI...

7.2. Enabling OpenShift Cluster Metrics

Use the OpenShift Cluster Metrics plug-in to collect node, pod, and container metrics into one location. This helps track usage and find common issues.

7.3. Adding an OpenShift Container Platform Provider

After initial installation and creation of a Red Hat CloudForms environment, add an OpenShift Container Platform provider using the token obtained in Section 7.1, “Obtaining an OpenShift Container Platform Management Token” and following the procedure below.

  1. Navigate to ComputeContainersProviders.
  2. Click Configuration (Configuration), then click Add a New Containers Provider (Add Existing Containers Provider).
  3. Enter a Name for the provider.
  4. From the Type list, select OpenShift Container Platform.
  5. Enter the appropriate Zone for the provider. If you do not specify a zone, it is set to default.

  6. Under Endpoints in the Default tab, configure the following for the OpenShift provider:

    1. Select a Security Protocol method to specify how to authenticate the provider:

      • SSL: Authenticate the provider securely using a trusted Certificate Authority. Select this option if the provider has a valid SSL certificate and it is signed by a trusted Certificate Authority. No further configuration is required for this option.

      • SSL trusting custom CA: Authenticate the provider with a self-signed certificate. For this option, copy your provider’s CA certificate to the Trusted CA Certificates box in PEM format.

        Note

        To obtain your OpenShift Container Platform provider’s CA certificate, run the oc get secret command on your provider, substituting values for your provider and token as needed. To obtain a token for your provider, see Section 7.1, “Obtaining an OpenShift Container Platform Management Token”.

        For example: 

        # oc get secret --namespace management-infra management-admin-token-8ixxs --template='{{index .data "ca.crt"}}' | base64 --decode

        Paste the output (a block of text starting with -----BEGIN CERTIFICATE-----) into the Trusted CA Certificates field.

      • SSL without validation: Authenticate the provider insecurely (not recommended).

    2. Enter the Hostname or IPv4 or IPv6 address of the provider.

      Important

      The Hostname must use a unique fully qualified domain name.

    3. Enter the API Port of the provider. The default port is 8443.
    4. Enter the OpenShift management token in the Token field. This is the token obtained earlier in Section 7.1, “Obtaining an OpenShift Container Platform Management Token”.
    5. Enter the same token in the Confirm Token field.
    6. Click Validate to confirm that Red Hat CloudForms can connect to the OpenShift Container Platform provider.

  7. Under Endpoints in the Hawkular tab, configure the following for Hawkular capacity and utilization metrics collection:

    1. Select a Security Protocol method to specify how to authenticate the provider:

      • SSL: Authenticate the provider securely using a trusted Certificate Authority. Select this option if the provider has a valid SSL certificate and it is signed by a trusted Certificate Authority. No further configuration is required for this option.

      • SSL trusting custom CA: Authenticate the provider with a self-signed certificate. For this option, copy your provider’s CA certificate to the Trusted CA Certificates box in PEM format.

        Note

        In OpenShift, the default deployment of the router generates certificates during installation, which can be used with the SSL trusting custom CA option. Connecting a Hawkular endpoint with this option requires the CA certificate that the cluster uses for service certificates, which is stored in /etc/origin/master/service-signer.crt on the first master in a cluster. You can also obtain the certificate from the cluster by running the following on your provider: 

        # oc get secrets $(oc get secrets -n default -o jsonpath='{.items[?(@.type=="kubernetes.io/service-account-token")].metadata.name}{"\n"}' | grep  -Eo "router.+" | awk '{print $1}') -n default -o jsonpath='{.data.ca\.crt}{"\n"}' | base64 -d
      • SSL without validation: Authenticate the provider insecurely using SSL. (Not recommended)
    2. Enter the Hostname or IPv4 or IPv6 address of the provider.
    3. Enter the API Port if your Hawkular provider uses a non-standard port for access. The default port is 443.
    4. Click Validate to confirm that Red Hat CloudForms can connect to the Hawkular endpoint.
  8. Click Add.

7.4. Tagging Containers Providers

Apply tags to all containers providers to categorize them together at the same time.

  1. Navigate to ComputeContainersProviders.
  2. Select the checkboxes for the containers providers to tag.
  3. Click Policy (Policy), and then Edit Tags (Edit Tags).

  4. Select a tag to assign from the drop-down menu.

    2219

  5. Select a value to assign.
  6. Click Save.

7.5. Removing Containers Providers

You may want to remove a containers provider from the VMDB if the provider is no longer in use.

  1. Navigate to ComputeContainersProviders.
  2. Select the checkboxes for the containers providers to remove.
  3. Click Configuration (Configuration), and then Remove Containers Providers from the VMDB (Remove Containers Providers from the VMDB).
  4. Click OK.

7.6. Editing a Containers Provider

Edit information about a provider such as the name, hostname, IP address or port, and credentials.

  1. Navigate to ComputeContainersProviders.
  2. Click the containers provider to edit.
  3. Click Configuration (Configuration), and then Edit Selected Containers Provider (Edit Selected Containers Provider).

  4. Edit the Basic Information. This varies depending on the Type of provider.

    Note

    The Type value is unchangeable.

    To use a different containers provider, create a new one.

  5. Edit the Credentials by typing in a new Token.
  6. Click Validate and wait for notification of successful validation.
  7. Click Save.

7.7. Viewing a Containers Provider’s Timeline

View the timeline of events for instances registered to a containers provider.

  1. Navigate to ComputeContainersProviders.
  2. Click the desired containers provider for viewing the timeline.
  3. Click Monitoring (Monitoring), and then Timelines (Timelines).

  4. From Options, customize the period of time to display and the types of events to see.

    • Use Show to select regular Management Events or Policy Events.
    • Use the Interval dropdown to select hourly or daily data points.
    • Use Date to type the date for the timeline to display.
    • If you select to view a daily timeline, use Show to set how many days back to go. The maximum history is 31 days.
    • From the Level dropdown, select a Summary event, or a Detail list of events.
    • The three Event Groups dropdowns allow you to select different groups of events to display. Each has its own color.

Click on an item for more detailed information.