Chapter 7. Containers Providers

A containers provider is a service that manages container resources, that can be added to the Red Hat CloudForms appliance.

CloudForms can connect to OpenShift Container Platform containers providers and manage them similarly to infrastructure and cloud providers. This allows you to gain control over different aspects of your containers environment and answer questions such as:

  • How many containers exist in my environment?
  • Does a specific node have enough resources?
  • How many distinct images are used?
  • Which image registries are used?

When CloudForms connects to a container’s environment, it collects information on different areas of the environment:

  • Entities such as pods, nodes, or services.
  • Basic relationships between the entities, for example: Which services are serving which pods?
  • Advanced insight into relationships, for example: Which two different containers are using the same image?
  • Additional information, such as events, projects, routes, and metrics.

You can manage policies for containers entities by adding tags. All containers entities except volumes can be tagged.

Note

This chapter provides details on managing containers providers. For details on working with the resources within a container environment, see Container Entities in Managing Infrastructure and Inventory.

The CloudForms user interface uses virtual thumbnails to represent containers providers. Each thumbnail contains four quadrants by default, which display basic information about each provider:

cp quad icon

  1. Number of nodes
  2. Container provider software
  3. Power state
  4. Authentication status

Table 7.1. Containers provider authentication status

IconDescription

2190

Validated: Valid authentication credentials have been added.

2191

Invalid: Authentication credentials are invalid.

2192

Unknown: Authentication status is unknown or no credentials have been entered.

7.1. Obtaining an OpenShift Container Platform Management Token

When deploying OpenShift using openshift-ansible-3.0.20 (or later versions), the OpenShift Container Platform service account and roles required by Red Hat CloudForms are installed by default.

Note

See the OpenShift Container Platform documentation for a list of the default roles.

Run the following to obtain the token needed to add an OpenShift Container Platform provider:

# oc sa get-token -n management-infra management-admin
eyJhbGciOiJSUzI1NiI...

7.2. Enabling OpenShift Cluster Metrics

Use the OpenShift Cluster Metrics plug-in to collect node, pod, and container metrics into one location. This helps track usage and find common issues.

7.3. Adding an OpenShift Container Platform Provider

After initial installation and creation of a Red Hat CloudForms environment, add an OpenShift Container Platform provider using the token obtained in Section 7.1, “Obtaining an OpenShift Container Platform Management Token” and following the procedure below.

  1. Navigate to ComputeContainersProviders.
  2. Click Configuration (Configuration), then click Add a New Containers Provider (Add a New Containers Provider).
  3. Enter a Name for the provider.
  4. From the Type list, select OpenShift Container Platform.
  5. Enter the appropriate Zone for the provider. If you do not specify a zone, it is set to default.
  6. From the Alerts list, select Prometheus to enable external alerts. Selecting Prometheus adds an Alerts tab to the lower pane to configure the Prometheus service. Alerts are disabled by default.
  7. From the Metrics list, select Hawkular or Prometheus to collect capacity and utilization data, or leave as Disabled. Selecting Prometheus or Hawkular adds a Metrics tab to the lower pane for further configuration. Metrics are disabled by default.
  8. In the Default tab, configure the following for the OpenShift provider:

    1. Select a Security Protocol method to specify how to authenticate the provider:

      • SSL: Authenticate the provider securely using a trusted Certificate Authority. Select this option if the provider has a valid SSL certificate and it is signed by a trusted Certificate Authority. No further configuration is required for this option.
      • SSL trusting custom CA: Authenticate the provider with a self-signed certificate. For this option, copy your provider’s CA certificate to the Trusted CA Certificates box in PEM format.

        Note

        You can obtain your OpenShift Container Platform provider’s CA certificate for all endpoints (default, metrics, alerts) from /etc/origin/master/ca.crt. Paste the output (a block of text starting with -----BEGIN CERTIFICATE-----) into the Trusted CA Certificates field.

      • SSL without validation: Authenticate the provider insecurely (not recommended).
    2. Enter the Hostname (or IPv4 or IPv6 address) of the provider.

      Important

      The Hostname must use a unique fully qualified domain name.

    3. Enter the API Port of the provider. The default port is 8443.
    4. Enter a token for your provider in the Token box.

      Note

      To obtain a token for your provider, run the oc get secret command on your provider; see Obtaining an OpenShift Container Platform Management Token.

      For example:

      # oc get secret --namespace management-infra management-admin-token-8ixxs --template='{{index .data "ca.crt"}}' | base64 --decode

    5. Click Validate to confirm that Red Hat CloudForms can connect to the OpenShift Container Platform provider.
  9. If you selected a metrics service, configure the service details in the Metrics tab:

    1. Select a Security Protocol method to specify how to authenticate the service:

      • SSL: Authenticate the provider securely using a trusted Certificate Authority. Select this option if the provider has a valid SSL certificate and it is signed by a trusted Certificate Authority. No further configuration is required for this option.
      • SSL trusting custom CA: Authenticate the provider with a self-signed certificate. For this option, copy your provider’s CA certificate to the Trusted CA Certificates box in PEM format.

        Note

        In OpenShift, the default deployment of the router generates certificates during installation, which can be used with the SSL trusting custom CA option. Connecting a Hawkular endpoint with this option requires the CA certificate that the cluster uses for service certificates, which is stored in /etc/origin/master/service-signer.crt on the first master in a cluster.

      • SSL without validation: Authenticate the provider insecurely using SSL. (Not recommended)
    2. Enter the Hostname (or IPv4 or IPv6 address) of the provider, or use the Detect button to find the hostname.
    3. Enter the API Port if your Hawkular provider uses a non-standard port for access. The default port is 443.
    4. Click Validate to confirm that Red Hat CloudForms can connect to the metrics endpoint.
  10. For the Prometheus alerts service, add the Prometheus alerts endpoint in the Alerts tab:

    1. Select a Security Protocol method to specify how to authenticate the service:

      • SSL: Authenticate the provider securely using a trusted Certificate Authority. Select this option if the provider has a valid SSL certificate and it is signed by a trusted Certificate Authority. No further configuration is required for this option.
      • SSL trusting custom CA: Authenticate the provider with a self-signed certificate. For this option, copy your provider’s CA certificate to the Trusted CA Certificates box in PEM format.
      • SSL without validation: Authenticate the provider insecurely using SSL. (Not recommended)
    2. Enter the Hostname (or IPv4 or IPv6 address) or alert Route.
    3. Enter the API Port if your Prometheus provider uses a non-standard port for access. The default port is 443.
    4. Click Validate to confirm that CloudForms can connect to the alerts service.
  11. Click the Advanced tab to add image inspector settings for scanning container images on your provider using OpenSCAP.

    Note
    • These settings control downloading the image inspector container image from the registry and obtaining the Common Vulnerabilities and Exposures (CVE) information (for effective scanning) via a proxy.
    • CVE URL that CloudForms requires to be open for OpenSCAP scanning: https://www.redhat.com/security/data/metrics/ds/. This information is based on the source code of OpenSCAP.
    1. Enter the proxy information for the provider in either HTTP, HTTPS, or NO Proxy depending on your environment.
    2. Enter the Image-Inspector Repository information. For example, openshift3/image-inspector.
    3. Enter the Image-Inspector Registry information. For example, registry.access.redhat.com.
    4. Enter the Image-Inspector Tag value. A tag is a mark used to differentiate images in a repository, typically by the application version stored in the image.
    5. Enter https://www.redhat.com/security/data/metrics/ds/ in CVE location.
  12. Click Add.
Note

You can also set global default image-inspector settings for all OpenShift providers in the advanced settings menu by editing the values under ems_kubernetes, instead of setting this for each provider.

For example:

:image_inspector_registry: registry.access.redhat.com
:image_inspector_repository: openshift3/image-inspector

7.4. Tagging Containers Providers

Apply tags to all containers providers to categorize them together at the same time.

  1. Navigate to ComputeContainersProviders.
  2. Select the checkboxes for the containers providers to tag.
  3. Click Policy (Policy), and then Edit Tags (Edit Tags).
  4. Select a tag to assign from the drop-down menu.

    2219

  5. Select a value to assign.
  6. Click Save.

7.5. Removing Containers Providers

You may want to remove a containers provider from the VMDB if the provider is no longer in use.

  1. Navigate to ComputeContainersProviders.
  2. Select the checkboxes for the containers providers to remove.
  3. Click Configuration (Configuration), and then Remove Containers Providers from the VMDB (Remove Containers Providers from the VMDB).
  4. Click OK.

7.6. Pausing / Resuming Containers Providers

In CloudForms, you can pause and resume containers providers. This allows users to add a number of potentially resource-intensive providers, then pause and resume those that are not required at a given time. Additionally, when performing maintenance on a provider, you can pause the provider to prevent CloudForms from connecting to it, to avoid generating log errors or collecting partial data.

Note
  • While the provider is paused no data will be collected from it. This may cause gaps in inventory, metrics and events.
  • Also, the provider itself is not turned off when paused, but only temporarily disables the link between CloudForms and the provider. Resuming the provider re-enables the link between CloudForms and the provider.

To pause a containers provider:

  1. Navigate to ComputeContainersProviders.
  2. Click the containers provider that you want to pause.
  3. Click Configuration (Configuration), and then Pause this Containers Provider (Pause this Containers Provider).
  4. Click OK.

To resume a paused containers provider:

  1. Navigate to ComputeContainersProviders.
  2. Click the paused containers provider that you want to resume.
  3. Click Configuration (Configuration), and then Resume this Containers Provider (Resume this Containers Provider).
  4. Click OK.

7.7. Editing a Containers Provider

Edit information about a provider such as the name, hostname, IP address or port, and credentials as required. If you have just upgraded your CloudForms environment from an older version, edit the provider to specify the authentication method the provider uses to connect to Red Hat CloudForms.

  1. Navigate to ComputeContainersProviders.
  2. Click the containers provider to edit.
  3. Click Configuration (Configuration), and then Edit Selected Containers Provider (Edit Selected Containers Provider).
  4. Edit the Name if required.

    Note

    The Type value is unchangeable.

  5. Under Endpoints in the Default tab, edit the following as required:

    1. Select a Security Protocol method to specify how to authenticate the provider:

      • SSL: Authenticate the provider securely using a trusted Certificate Authority. Select this option if the provider has a valid SSL certificate and it is signed by a trusted Certificate Authority. No further configuration is required for this option.
      • SSL trusting custom CA: Authenticate the provider with a self-signed certificate. For this option, copy your provider’s CA certificate to the Trusted CA Certificates box in PEM format.

        Note

        You can obtain your OpenShift Container Platform provider’s CA certificate for all endpoints (default, metrics, alerts) from /etc/origin/master/ca.crt. Paste the output (a block of text starting with -----BEGIN CERTIFICATE-----) into the Trusted CA Certificates field.

      • SSL without validation: Authenticate the provider insecurely (not recommended).
    2. Enter the Hostname (or IPv4 or IPv6 address) of the provider.

      Important

      The Hostname must use a unique fully qualified domain name.

    3. Enter the API Port of the provider. The default port is 8443.
    4. Enter a token for your provider in the Token box.

      Note

      To obtain a token for your provider, run the oc get secret command on your provider; see Obtaining an OpenShift Container Platform Management Token.

      For example:

      # oc get secret --namespace management-infra management-admin-token-8ixxs --template='{{index .data "ca.crt"}}' | base64 --decode

    5. Click Validate to confirm that Red Hat CloudForms can connect to the OpenShift Container Platform provider.
  6. Under Endpoints in the Metrics tab, configure the following for gathering capacity and utilization metrics for Hawkular or Prometheus based on the selection:

    1. Select a Security Protocol method to specify how to authenticate the provider:

      • SSL: Authenticate the provider securely using a trusted Certificate Authority. Select this option if the provider has a valid SSL certificate and it is signed by a trusted Certificate Authority. No further configuration is required for this option.
      • SSL trusting custom CA: Authenticate the provider with a self-signed certificate. For this option, copy your provider’s CA certificate to the Trusted CA Certificates box in PEM format.
      • SSL without validation: Authenticate the provider insecurely using SSL. (Not recommended)
    2. Enter the Hostname (or IPv4 or IPv6 address) of the provider.
    3. Enter the API Port if your provider uses a non-standard port for access. The default port is 443.
    4. Click Validate to confirm that Red Hat CloudForms can connect to the endpoint.
  7. Under Endpoints in the Alerts tab, configure the following for Prometheus alerting from the cluster.

    • SSL: Authenticate the provider securely using a trusted Certificate Authority. Select this option if the provider has a valid SSL certificate and it is signed by a trusted Certificate Authority. No further configuration is required for this option.
    • SSL trusting custom CA: Authenticate the provider with a self-signed certificate. For this option, copy your provider’s CA certificate to the Trusted CA Certificates box in PEM format.
    • SSL without validation: Authenticate the provider insecurely using SSL. (Not recommended)

      1. Enter the Hostname (or IPv4 or IPv6 address) of the provider.
      2. Enter the API Port if your provider uses a non-standard port for access. The default port is 443.
      3. Click Validate to confirm that Red Hat CloudForms can connect to the endpoint.
  8. Click Save.

7.8. Hiding Environment Variables for Containers Providers

You can restrict users from viewing container provider environment variables by configuring user roles.

This is useful as the environment variables panel can expose sensitive information, such as passwords, that you may not want certain users to view.

Note

The default user roles in CloudForms are read-only. To customize a role’s settings, create a new role or a copy of an existing role.

You can view role information and the product features the role can access (marked by a checkmark) by clicking on any role in Access Control. Expand the categories under Product Features to see further detail.

To configure user access to container environment variables:

  1. From the settings menu, select Configuration.
  2. Click the Access Control accordion, then click Roles.
  3. Select a existing custom role from the Access Control Roles list, and click 1847 (Configuration), then 1851 (Edit the selected Role).

    Alternatively, to create a new custom role, select a role from the Access Control Roles list, and click 1847 (Configuration), then 1851 (Copy this Role to a new Role).

  4. Edit the name for the role if desired.
  5. For Access Restriction for Services, VMs, and Templates, select if you want to limit users with this role to only see resources owned by the user or their group, owned by the user, or all resources (None).
  6. Expand the Product Features (Editing) tree options to show EverythingComputeContainersContainers ExplorerAll ContainersView Containers.
  7. Clear the Environment Variables checkbox to restrict the user role from viewing container environment variables.

    restrict env vars

  8. Click Save.

For more information about user roles, see Roles in General Configuration.

7.9. Viewing a Containers Provider’s Timeline

View the timeline of events for instances registered to a containers provider.

  1. Navigate to ComputeContainersProviders.
  2. Click the desired containers provider for viewing the timeline.
  3. Click Monitoring (Monitoring), and then Timelines (Timelines).
  4. From Options, customize the period of time to display and the types of events to see.

    • Use Show to select regular Management Events or Policy Events.
    • Use the Interval dropdown to select hourly or daily data points.
    • Use Date to type the date for the timeline to display.
    • If you select to view a daily timeline, use Show to set how many days back to go. The maximum history is 31 days.
    • From the Level dropdown, select a Summary event, or a Detail list of events.
    • The three Event Groups dropdowns allow you to select different groups of events to display. Each has its own color.

Click on an item for more detailed information.