Tike container platform - FAQ

Last modified by tapiiron@helsinki_fi on 2024/02/07 06:34


Question

Answer

Should I order a project for each application? Or one per team or something similar?

A project per application is preferable. If deemed necessary, a team can order a project just for testing different things. For your own testing Codeready Containers is also a possibility, it is a locally hosted OpenShift with a few limitations running on a single virtual machine.

What is the container platform address?

On the front page Tike container platform "OpenShift console and cli"

What should a Dockerfile look like?

When possible, RedHat UBI Images should be used as a base for containers. In addition the usage of Multi-stage dockerfiles is preferable so that the container will be as small as possible.

Do note, that OpenShift forces the process, also within a container, to be run as a normal user even when the user is not defined in the Dockerfile. This is done automatically, and it could affect your applications  behaviour. For testing/development you should use the USER definition to tackle some of these problems at an early stage.

Examples: Example applications with Dockerfiles

More information: 3.2 Container process UIDs in OpenShift

How can OpenShift connect to GitLab?

  • Gitlab → OpenShift:
    • University Gitlab, version.helsinki.fi, is in the same internal network as the OpenShift cluster. Webhooks should work directly.
  • OpenShift → Gitlab:
    • The connection is not limited. If you are using Builds/Buildconfigs to pull from Gitlab, you will need to configure SSH keys that are given read access to the repository, and to pass the private key to your project as a Secret.
  • More info: 3.4 Git and OpenShift

How can OpenShift connect to GitHub?

  • Github → Openshift:
    • Github webhooks are disabled, because they would require tremendous holes in the firewall. At the moment there are no plans of enabling these.
  • Openshift → Github:
    • The connection is not limited. If you are using Builds/Buildconfigs to pull from Github, you will need to configure SSH keys that are given read access to the repository, and to pass the private key to your project as a Secret.

Can I run a database in a container?

Technically yes, but you shouldn't. You would have to ensure that the database recovers from a cluster update. The IT Center has a centralized database service, where replicated and maintained databases can be ordered from. The database service offers SQL databases (Postgresql). If a centralized database service is unsuitable for your project, you could consider running  a document database in a container. The container platform administration is not responsible for backups, fault tolerance etc. 

Kubernetes platform configurations for projects and version control. Is it necessary to version control my Kubernetes configurations for each project or application?

Yes.

In practice you want to keep each application and project a separate entity, even if the configurations are almost identical.

You can reduce the repetitiveness between different versions of the same application by for example using Helm templates.

In principle, everything needed to run the application should be version controlled with a max distance of ~3 commands from production. Except of course secrets like tokens, passwords, etc. and inputting them to with the correct names to the project should be documented and scripted. 

Is it necessary to define Kubernetes configurations for each application?

Yes. Each application has its own Kubernetes manifests and the possible sharing of those between applications happens outside the cluster, for example using Helm templates.

Should all YAML files for applications be version controlled? Is it better to deploy using the web console or with the terminal using CLI + yaml files?

Yaml files should be version controlled. The software could be first deployed using the web console and then the yaml files should be added to version control. By pulling the yamls, the containers could be deployed by editing the yaml files and by using the terminal CLI. With the yaml files, the app could be setup with a single command and the configs would be safe in the version control.


How the get an application behind SSO ("Shibboloin") in OpenShift?

  • The solution is to build a container running configured apache httpd that transmits the parameters in http headers to the application running in a separate container. In addition you would have to make the correct changes to the sp-registry (registration etc.). More detailed instructions can be found in the Authentication instructions: Shibboleth (SAML2 / OIDC) (Finnish)
  • An example solution: https://github.com/UniversityofHelsinki/shibboleth-sp-openshift
  • You will probably have to make different "sticky session" definitions, so that the logged in user will always be serviced using the same container. In addition the user's browser could sometimes (during container migration or destruction and rebuild) go to login.helsinki.fi to get a new login for your application.

What are the IP addresses for the container, if I want to open my virtual machine firewall to traffic from the container platform.

The container cluster virtual machines live in the following networks and the outward traffic from the containers looks to be originating from:

  • Test (ocp-test-0) : 128.214.137.128/27
  • Production (ocp-prod-0) : 128.214.137.0/25

How to make sure, that the Pods for a Deployment are run on separate virtual machines?

With Pod Anti-affinities:
https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#more-practical-use-cases

The matchExpression in the above link can be shortened using a matchLabel: 
https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#resources-that-support-set-based-requirements


Example
apiVersion: apps/v1
kind: Deployment
metadata:
  name: frontend
spec:
  replicas: 3
  template:
    metadata:
      labels:
        app: frontend           <=========== This label is given to all Pods
    spec:
      affinity:
        podAntiAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
          - topologyKey: kubernetes.io/hostname   <========= hostname in topology
            labelSelector:
              matchLabels:                        <========= matches labels (key-value pairs
                app: frontend                     <========= .... that are defined to be the same as template
                                                              metadata.labels was given for Pods in this Deployment
       ....


How to limit my service so that only certain IP-addresses can access it.

Set an annotation to your services Route using the key 

haproxy.router.openshift.io/ip_whitelist

 and a list as the value, consisting of whitespace separated IP addresses. More info here.

How to tell which version of a program, for example a programming language, is installed to the container? How do I list all installed packages?

Using the web client click the Pod you wish to access, click on the Terminal tab and input the following to the terminal:

# version of a program
<program> --version

# all packages
ls /usr/bin/