v1.0

psehgaft · Dec 8, 2023 · 52071d2 · 52071d2
1 parent 1ff1c19
commit 52071d2
Show file tree

Hide file tree

Showing 19 changed files with 565 additions and 6 deletions.
diff --git a/README.md b/README.md
@@ -1,15 +1,120 @@
 # Hybrid_cloud_ecosystems
 
+## Justification
+
+Implementing microservices offers numerous benefits, but also presents challenges and potential problems when an architectural framework of microservices as ecosystems is not established.
+Some of the current problems when implementing microservices include:
+
+1. Management Complexity:
+
+Microservices present greater complexity in the management of multiple independent services, each with its own database and business logic. Coordinating and managing these pieces can be challenging.
+`Reference: Lewis, J. and Fowler, M. (2014). Microservices: a definition of this new architectural term.`
+
+2. Consistency and Distributed Transactions:
+
+Maintaining data consistency in a microservices environment, especially in operations that involve distributed transactions, can be complicated and require specific solutions.
+`Reference: Newman, S. (2015). Building microservices: detailed system design.`
+
+3. Security and Data Protection:
+
+Managing security in a microservices environment, involving multiple services and entry points, can be challenging. Data protection and authentication must be carefully considered.
+`Reference: Richardson, C. (2018). Microservices security in action.`
+
+4. Monitoring and Follow-up:
+
+Tracking and monitoring distributed microservices can be complex. Specialized solutions are required to understand system-wide performance and issues.
+`Reference: Burns, B. (2019). Distributed Systems Design: Patterns and Paradigms for Scalable and Reliable Services.`
+
+5. Testing and Continuous Deployment:
+
+
+Implementing effective testing and continuous deployment strategies for microservices can be more complicated than in monolithic architectures, especially given the need to test interactions between services.
+`Reference: Newman, S. (2015). Building microservices: detailed system design.`
+
+6. Cultural and Organizational Change:
+
+Adopting a microservices architecture often involves a significant cultural and organizational change. Organizations must adapt to a small, independent team mentality.
+`Reference: Fowler, M. and Lewis, J. (2018). Microservices: the dark side.`
+
+7. Network Overload and Latency:
+
+Communication between microservices can introduce latency, and a poorly designed architecture can result in network overload, affecting overall performance.
+`Reference: Newman, S. (2015). Building microservices: detailed system design.`
+
+8 Duplication of Functionalities and Waste of Resources:
+
+Fragmentation of services can lead to duplication of functionality, which can result in wasted resources and development efforts.
+`Reference: Richardson, C. (2018). Microservices Patterns: With examples in Java.`
+
+It is important to address these problems with a strategic approach and consider specific solutions to mitigate the challenges associated with the implementation of microservices in an enterprise environment, which is why it is important to undertake research on microservices implementation that reduces the impact of the aforementioned problems. . .
+
+## Architecture
+
+![Open Hybrid Ecosystems](./images/hybrid-microservices-ecosystems.png)
+
+# LAB
+
+## Pre-reqs
+
+<details>
+<summary> Install ansible </summary>
+
+```sh
+sudo dnf install -y ansible
+```
+
+</details>
+<details>
+<summary> vars.yml</summary>
+
 ```vars.yml
 username: {{ user }}
+subctl-cli-url: "https://get.submariner.io"
+submariner-path: "$PATH:~/.local/bin"
+```
+</details>
+<details>
+
+<summary> Install subctl </summary>
+
+Download the subctl binary and make it available on your PATH.
+
+```sh
+sudo dnf install -y ansible
+ansible-playbook submariner/submariner-install.yml
+```
+</details>
+
+## Management Complexity
+
+**_NOTE:_** This part of the laboratory has already been provisioned, to focus on the deployment of the ecosystem's own services.
+
+<details>
+<summary> Deploy ACM </summary>
+
+You can use either the OpenShift 4 web console's built-in OperatorHub or the OpenShift CLI to install ACM. The installation breaks down to six steps:
 
+1. Prepare the environment for the ACM installation.
+2. Create a new OpenShift project and namespace.
+3. Create an image-pull secret.
+4. Install ACM and subscribe to the ACM Operator group.
+5. Create the MultiClusterHub resource.
+6. Verify the ACM installation.
+
+We will use the OpenShift command line for the first several steps; . then, I will show you how to use either the command line or the OpenShift 4 web console.
+
+```vars.yml
+ansible-playbook lab-deployment.yml --tags acm
 ```
+</details>
+
+## Consistency and Distributed Transactions
 
-## Deploy Submariner
+### Deploy Submariner
 
-## Configure Submariner
+### Configure Submariner
 
-## Deploy Skupper Operator
+### Deploy Skupper Operator
 
 If you want to try a cluster-wide installation, you don't need to create the `OperatorGroup` as it is already defined at the destination namespaces, so you just need to create the subscription at the correct namespaces, see below.
 
@@ -33,11 +138,33 @@ oc apply -f ocp /20-Subscription-cluster.yaml
 oc apply -f ocp/20-Subscription.yaml
 ```
 
-## Configure Skupper
+### Configure Skupper
+
+## Security and Data Protection
+
+**_NOTE:_** This part of the laboratory has already been provisioned, to focus on the deployment of the ecosystem's own services.
+
+<details>
+<summary> Deploy ACS </summary>
+
+When RHACM is available, you can create RHACM policies to deploy RHACS to your cluster fleet. This approach ensures that all fleet clusters are protected by RHACS.
+
+To implement RHACS, you must create two policies in RHACM, one for centralized services and one for protected cluster services. The policy to install centralized services must be applied to the hub cluster. The policy for installing protected cluster services must be applied to the clusters that you want RHACS to protect. You can achieve this separation by using a clusterSelector parameter of the PlacementRule object.
+
+```vars.yml
+ansible-playbook lab-deployment.yml --tags acs
+```
+</details>
+
+## Monitoring and Follow-up
+## Testing and Continuous Deployment
+## Cultural and Organizational Change
+## Network Overload and Latency
+## Duplication of Functionalities and Waste of Resources
 
-## Deploy applications
+### Deploy applications
 
-## Scenarios
+### Scenarios
 
 ### Hybrid Cloud Balancing
 

diff --git a/acm/acm-kusterletaddonconfig.yml b/acm/acm-kusterletaddonconfig.yml
@@ -0,0 +1,22 @@
+apiVersion: agent.open-cluster-management.io/v1
+kind: KlusterletAddonConfig
+metadata:
+  name: managed-cluster
+  namespace: managed-cluster
+spec:
+  clusterName: managed-cluster
+  clusterNamespace: managed-cluster
+  applicationManager:
+    enabled: true
+  certPolicyController:
+    enabled: true
+  clusterLabels:
+    cloud: auto-detect
+    vendor: auto-detect
+  iamPolicyController:
+    enabled: true
+  policyController:
+    enabled: true
+  searchCollector:
+    enabled: true
+  version: 2.9.0
diff --git a/acm/acm-managedcluster.yml b/acm/acm-managedcluster.yml
@@ -0,0 +1,7 @@
+apiVersion: cluster.open-cluster-management.io/v1
+kind: ManagedCluster
+metadata:
+  name: managed-cluster
+  namespace: managed-cluster
+spec:
+  hubAcceptsClient: true
diff --git a/acm/acm-multicluster.yml b/acm/acm-multicluster.yml
@@ -0,0 +1,37 @@
+apiVersion: operator.open-cluster-management.io/v1
+kind: MultiClusterHub
+metadata:
+  name: multiclusterhub
+  namespace: open-cluster-management
+  finalizers:
+    - finalizer.operator.open-cluster-management.io
+spec:
+  availabilityConfig: Basic
+  enableClusterBackup: false
+  ingress:
+    sslCiphers:
+      - ECDHE-ECDSA-AES256-GCM-SHA384
+      - ECDHE-RSA-AES256-GCM-SHA384
+      - ECDHE-ECDSA-AES128-GCM-SHA256
+      - ECDHE-RSA-AES128-GCM-SHA256
+  overrides:
+    components:
+      - enabled: true
+        name: console
+      - enabled: true
+        name: insights
+      - enabled: true
+        name: grc
+      - enabled: true
+        name: cluster-lifecycle
+      - enabled: true
+        name: volsync
+      - enabled: true
+        name: multicluster-engine
+      - enabled: true
+        name: search
+      - enabled: true
+        name: app-lifecycle
+      - enabled: false
+        name: cluster-backup
+  separateCertificateManagement: false
diff --git a/acm/acm-operatorgroup.yml b/acm/acm-operatorgroup.yml
@@ -0,0 +1,9 @@
+apiVersion: operators.coreos.com/v1
+kind: OperatorGroup
+metadata:
+  name: acm-operator-group
+  namespace: open-cluster-management
+spec:
+  targetNamespaces:
+    - open-cluster-management
+  upgradeStrategy: Default
diff --git a/acm/acm-subscription.yml b/acm/acm-subscription.yml
@@ -0,0 +1,13 @@
+apiVersion: operators.coreos.com/v1alpha1
+kind: Subscription
+metadata:
+  name: advanced-cluster-management
+  namespace: open-cluster-management
+  labels:
+    operators.coreos.com/advanced-cluster-management.open-cluster-management: ''
+spec:
+  sourceNamespace: openshift-marketplace
+  source: redhat-operators
+  channel: release-2.9
+  installPlanApproval: Automatic
+  name: advanced-cluster-management
diff --git a/acs/policy-acs-operator-secured-clusters.yml b/acs/policy-acs-operator-secured-clusters.yml
@@ -0,0 +1,126 @@
+apiVersion: policy.open-cluster-management.io/v1
+kind: Policy
+metadata:
+  name: policy-advanced-managed-cluster-security
+  namespace: rhacs-operator
+  annotations:
+    policy.open-cluster-management.io/standards: NIST SP 800-53
+    policy.open-cluster-management.io/categories: CM Configuration Management
+    policy.open-cluster-management.io/controls: CM-2 Baseline Configuration
+spec:
+  remediationAction: enforce
+  disabled: false
+  policy-templates:
+  - objectDefinition:
+      apiVersion: policy.open-cluster-management.io/v1
+      kind: ConfigurationPolicy
+      metadata:
+        name: managed-cluster-security-ns
+        namespace: rhacs-operator
+      spec:
+        remediationAction: inform
+        severity: high
+        object-templates:
+          - complianceType: musthave
+            objectDefinition:
+              apiVersion: v1
+              kind: Namespace
+              metadata:
+                name: stackrox
+          - complianceType: musthave
+            objectDefinition:
+              apiVersion: v1
+              kind: Namespace
+              metadata:
+                name: rhacs-operator
+          - complianceType: musthave
+            objectDefinition:
+              apiVersion: operators.coreos.com/v1
+              kind: OperatorGroup
+              metadata:
+                name: rhacs-operator-group
+                namespace: rhacs-operator
+              spec: {}
+  - objectDefinition:
+      apiVersion: policy.open-cluster-management.io/v1
+      kind: ConfigurationPolicy
+      metadata:
+        name: managed-cluster-security-operator-sub
+        namespace: rhacs-operator
+      spec:
+        remediationAction: inform
+        severity: high
+        object-templates:
+          - complianceType: musthave
+            objectDefinition:
+              apiVersion: operators.coreos.com/v1alpha1
+              kind: Subscription
+              metadata:
+                name: rhacs-operator
+                namespace: rhacs-operator
+              spec:
+                channel: latest
+                installPlanApproval: Automatic
+                name: rhacs-operator
+                source: redhat-operators
+                sourceNamespace: openshift-marketplace
+  - objectDefinition:
+      apiVersion: policy.open-cluster-management.io/v1
+      kind: ConfigurationPolicy
+      metadata:
+        name: managed-cluster-security-endpoints
+        namespace: rhacs-operator
+      spec:
+        remediationAction: inform
+        severity: high
+        object-templates:
+          - complianceType: musthave
+            objectDefinition:
+              apiVersion: platform.stackrox.io/v1alpha1
+              kind: SecuredCluster
+              metadata:
+                namespace: stackrox
+                name: stackrox-secured-cluster-services
+              spec:
+                clusterName: |
+                  {{ fromSecret "open-cluster-management-agent" "hub-kubeconfig-secret" "cluster-name" | base64dec }}
+                auditLogs:
+                  collection: Auto
+                centralEndpoint: |
+                  {{ fromSecret "stackrox" "sensor-tls" "acs-host" | base64dec }}
+                admissionControl:
+                  listenOnCreates: false
+                  listenOnEvents: true
+                  listenOnUpdates: false
+                perNode:
+                  collector:
+                    collection: EBPF
+                    imageFlavor: Regular
+                  taintToleration: TolerateTaints
+---
+apiVersion: policy.open-cluster-management.io/v1
+kind: PlacementBinding
+metadata:
+  name: binding-policy-advanced-managed-cluster-security
+  namespace: rhacs-operator
+placementRef:
+  name: placement-policy-advanced-managed-cluster-security
+  kind: PlacementRule
+  apiGroup: apps.open-cluster-management.io
+subjects:
+- name: policy-advanced-managed-cluster-security
+  kind: Policy
+  apiGroup: policy.open-cluster-management.io
+---
+apiVersion: apps.open-cluster-management.io/v1
+kind: PlacementRule
+metadata:
+  name: placement-policy-advanced-managed-cluster-security
+  namespace: rhacs-operator
+spec:
+  clusterConditions:
+  - status: "True"
+    type: ManagedClusterConditionAvailable
+  clusterSelector:
+    matchExpressions:
+      - {key: vendor, operator: In, values: ["OpenShift"]}
diff --git a/images/hybrid-microservices-ecosystems.png b/images/hybrid-microservices-ecosystems.png
diff --git a/klusterlet-crd.yaml b/klusterlet-crd.yaml