Prime EDMOpenShift Deployment Guide
Prerequisites
Before deploying to OpenShift, ensure you have:
- OpenShift CLI (
oc) installed - Access to an OpenShift cluster
- Helm 3.x installed
Cluster Setup
- Login to OpenShift:
bash
oc login --token=sha256~... --server=https://api.cluster.example.com:6443- Create a project:
bash
oc new-project prime-edmInstalling Prime EDM Charts
- Add the Helm repository:
bash
helm repo add prime-edm https://charts.acx-sandbox.net --username $USER --password $PASSWORD
helm repo update- Create OpenShift-specific values:
yaml
# openshift-values.yaml
global:
provider: openshift
security:
securityContext:
enabled: false
serviceAccount:
annotations:
serviceaccounts.openshift.io/oauth-redirectreference.primary: '{"kind":"OAuthRedirectReference","apiVersion":"v1","reference":{"kind":"Route","name":"prime-edm"}}'
route:
enabled: true
tls:
termination: edge- Install the chart:
bash
helm install prime-edm prime-edm/prime-edm -f openshift-values.yamlOpenShift-Specific Configuration
Storage Classes
OpenShift provides several storage options:
yaml
storage:
# Default storage class
class: managed-nfs-storage
# Block storage
# class: managed-block-storageRoutes
Using OpenShift Routes instead of Ingress:
yaml
route:
enabled: true
host: prime-edm.apps.cluster.example.com
tls:
termination: edge
insecureEdgeTerminationPolicy: RedirectSecurity Context Constraints
Configure SCCs:
yaml
securityContext:
enabled: false
fsGroup: null
runAsUser: nullSecrets Management
Vault Operator Setup
- Install the Vault Operator:
bash
oc new-project hashicorp
oc apply -f https://raw.githubusercontent.com/hashicorp/vault-helm/main/operator/deploy/crds.yaml
oc apply -f https://raw.githubusercontent.com/hashicorp/vault-helm/main/operator/deploy/operator.yaml- Deploy Vault:
bash
helm repo add hashicorp https://helm.releases.hashicorp.com
helm repo update
helm install vault hashicorp/vault \
--namespace hashicorp \
--set "server.dev.enabled=true"- Install External Secrets Operator:
bash
helm repo add external-secrets https://charts.external-secrets.io
helm repo update
helm install external-secrets \
external-secrets/external-secrets \
--namespace external-secrets \
--create-namespace \
--set installCRDs=true- Create SecretStore:
yaml
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: vault-backend
spec:
provider:
vault:
server: "http://vault.hashicorp:8200"
path: "secret"
version: "v2"
auth:
kubernetes:
mountPath: "kubernetes"
role: "prime-edm-role"
serviceAccountRef:
name: "prime-edm-sa"- Create ExternalSecret:
yaml
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: database-secret
spec:
refreshInterval: 1h
secretStoreRef:
name: vault-backend
kind: SecretStore
target:
name: db-credentials
data:
- secretKey: username
remoteRef:
key: database/credentials
property: username
- secretKey: password
remoteRef:
key: database/credentials
property: passwordMonitoring
OpenShift Monitoring Integration
Enable cluster monitoring:
yaml
monitoring:
serviceMonitor:
enabled: true
namespace: openshift-monitoringBest Practices
- Use node selectors:
yaml
nodeSelector:
node-role.kubernetes.io/worker: ""- Configure resource limits:
yaml
resources:
requests:
cpu: 250m
memory: 512Mi
limits:
cpu: 500m
memory: 1Gi- Enable auto-scaling:
yaml
autoscaling:
enabled: true
minReplicas: 2
maxReplicas: 10
targetCPUUtilizationPercentage: 80Troubleshooting
Common issues and solutions:
Route issues:
- Check route configuration
- Verify TLS settings
- Validate DNS setup
Storage problems:
- Confirm storage class exists
- Check PVC status
- Verify project quotas
Security issues:
- Check SCC assignments
- Verify service account permissions
- Validate role bindings