IBM TechXchange 2023 / Unleash the Power of Hybrid Multi-Cloud Applications with IBM Cloud Satellite [3670]
Welcome
Session details
IBM TechXchange 2023 / Unleash the Power of Hybrid Multi-Cloud Applications with IBM Cloud Satellite [3670]
Embracing a hybrid multi-cloud architecture can be transformative for businesses. It offers a flexible and secure way to handle IT infrastructure, optimize costs, and ensure maximum uptime. Meet IBM Cloud Satellite, your partner in running workloads across multiple environments — be it private or public clouds or on-premises. Ready to dive into a hands-on session with IBM Cloud Satellite? Join us to learn how you can securely and efficiently expose your applications running on multi-cloud infrastructure.
Your lab environment consist of the following components:
Satellite location running on AWS (multi-cloud use case):
runs with 6 hosts (3 hosts are assigned to the location control plane, 3 hosts are used as OpenShift workers)
OpenShift cluster running on AWS Satellite location:
workers are exposed publicly with an AWS load balancer
On-premises Satellite location (hybrid-cloud use case):
runs with 6 hosts (3 hosts are assigned to the location control plane, 3 hosts are used as OpenShift workers)
OpenShift cluster running on on-premises Satellite location
Jumpbox:
connects to the AWS VPC and to the on-premises infrastructure with VPN
Exercises
Get familiar with your lab environment
In this exercise, you are going to learn about the architecture of your lab environment and learn the basic commands for IBM Cloud Satellite and Red Hat OpenShift on IBM Cloud.
Open your jumpbox
In the lab system, click the "Launch Lab" button.
On the following page, you will see one virtual machine, that is your jumpbox. Click the Red Hat icon on the screen to connect.
At this point you should be connected to the jumpbox.
Login to the IBM Cloud account using CLI
The jumpbox has IBM Cloud CLI preinstalled. To log in to the IBM Cloud account, open the terminal and execute the following command:
(Note: the IBMCLOUD_API_KEY environment variable contains an API key pregenerated for your lab user.)
Inspect Satellite locations
To list Satellite locations, use the following command:
$ ibmcloud sat location ls
You should see 2 Satellite locations: aws-location-XX (ID: xxxxxxxxxxxxxxxxxxxx) runs on AWS hosts, while on-prem-location-XX (ID: xxxxxxxxxxxxxxxxxxxx) runs on on-premises hosts.
To see the details and status of a Satellite location, you can use following command:
$ ibmcloud sat location get --location xxxxxxxxxxxxxxxxxxxx
Hosts that have sufficient compute, storage and network can be attached to a Satellite location by executing an attach script on the target machine. Once a machine is attached to a location, it can be assigned to run workloads. Each location must have at least 3 machines assigned to run the control plane.
To list hosts attached to a Satellite location, you can use:
$ ibmcloud sat host ls --location xxxxxxxxxxxxxxxxxxxx
Quiz
How many hosts does the aws-location-XX have and in what state?
Correct!
Nice job!
Not exactly!
Run the ibmcloud sat hosts ls --location aws-location-XX command and inspect the State and Cluster columns in the output.
Inspect OpenShift clusters
To list clusters, use the following command:
$ ibmcloud oc cluster ls
You should see 2 OpenShift clusters: intranet-XX and public-services-XX. Check the "Location" column in the output. Verify that the intranet-XX cluster is deployed onto the on-prem-location-XX Satellite location, while the public-services-XX cluster is deployed onto aws-location-XX. Creating OpenShift clusters on Satellite locations is very similar to creating clusters on IBM Cloud infrastructure. The only significant difference is that you need to select a target Satellite location instead of an IBM Cloud datacenter or VPC.
To see the details and status of a cluster, you can use the following command:
$ ibmcloud oc cluster get --cluster intranet-XX
To fetch the Kubernetes configuration files for a cluster, you can use the following command:
At this point you should be able to execute kubectl or oc commands, for example:
$ oc get nodes
Quiz
How many nodes does the public-services-XX cluster have?
Correct!
Nice job!
Not exactly!
Fetch the Kubernetes configuration files using the ibmcloud oc cluster config --admin --cluster public-services-XX command and then list the nodes with the oc get nodes command.
Deploy and expose public company website
In this exercise, you are going to deploy the public website of TechXchange Co. (our imaginary company) and add zones to a single-zone OpenShift cluster (public-services-XX) deployed on a multi-cloud location (aws-location-XX). You will learn how to expose the app locally on your machine for debugging purposes and how to expose the application publicly through a custom domain.
Deploy company website
First, fetch the Kubernetes configuration files for the public-services-XX cluster:
Looks like the website is configured to run 2 replicas, but only 1 of them is running. This is because the deployment has pod anti-affinity configuration to ensure all pods are running on different nodes, but our cluster has only 1 node. Such an anti-affinity configuration helps increasing the resiliency of the application. If 1 of the node goes down, only 1 of the pods will become unavailable and the other 2 will keep running and serving requests.
Quiz
Which command can you use to determine the cause of the Pending pod state?
Correct!
Nice job!
If you execute the command, you should see a similar message appearing in the Events section:
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning FailedScheduling 16s (x8 over 14m) default-scheduler 0/1 nodes are available: 1 node(s) didn't match pod anti-affinity rules. preemption: 0/1 nodes are available: 1 No preemption victims found for incoming pod.
Not exactly!
This command lists the cluster nodes, but does not provide the exact cause why the pod could not be scheduled.
Add zones to the single-zone public-services-XX cluster
Single-node clusters might be a good option if you want to reduce costs or want to simplify the management. However, if resiliency, workload isolation and security are important factors, then a multi-node setup is more suitable.
As we already concluded earlier, the Satellite location where the public-services-XX cluster is deployed has 2 unassigned hosts. To automatically assign these hosts to the cluster, we are going to configure additional zones for the worker pool of the cluster.
To see the details of the default worker pool, execute the following command:
$ ibmcloud oc worker-pool get --worker-pool default --cluster public-services-XX
The worker pool currently has only 1 zone configured (us-east-1a). If you add new zones to your worker pool, hosts that belong to that zone will get automatically assigned as they match the labels of the worker pool.
Run the following commands to add the us-east-1b and us-east-1c zones:
That was easy. Let's see the host assignments now:
$ ibmcloud sat host ls --location aws-location-XX
Now all the location hosts are assigned and the public-services-XX has 1 host in each of the zones (us-east-1a, us-east-1b, us-east-1c). It will take 10-15 minutes for the nodes to be fully ready. You do not need to wait for the nodes to be provisioned to continue the lab tasks. We suggest to proceed with the next task and check back later if you have enough time.
Once the provisioning is completed, you can see the nodes appearing:
$ oc get node
With sufficient number of nodes, the pods of our public website are running as expected:
$ oc get pods -n public-website
Expose company website on your local machine
Sometimes it is useful to expose applications on your local machine for debugging purposes. The port forward feature provided by Kubernetes makes this possible for you: the Kubernetes API server establishes a secure HTTP connection and forwards traffic from a designated local port to the specified pod(s) within the cluster.
You might remember from the architecture diagram that there is a network load balancer provisioned in your VPC. This load balancer is accessible from the internet and forwards traffic arriving to TCP80 and TCP443 into the nodes of the public-services-XX cluster.
The public IP address of this load balancer varies for each lab environment, your IP address is: X.X.X.X.
We prepared a custom default domain for your cluster: txc-3670-XX.us-south.satellite.appdomain.cloud.
To see the current configuration of the domain, you can use:
$ ibmcloud oc ingress domain get --cluster public-services-XX --domain txc-3670-XX.us-south.satellite.appdomain.cloud
Note that currently private IP addresses are registered (the host addresses). Let's replace the addresses with the public load balancer's IP address:
As a last step, you need to create a Route configuration to expose the public website using the OpenShift Ingress Controller. Since the txc-3670-XX.us-south.satellite.appdomain.cloud custom domain is a wildcard domain, you can use the public.txc-3670-XX.us-south.satellite.appdomain.cloud to expose the public website:
The DNS update might take a few minutes, but once the update is completed, you should be able to access TechXchange Co.'s public website through the public.txc-3670-XX.us-south.satellite.appdomain.cloud URL.
You can also open the site from your mobile device by scanning the below QR code:
Quiz
We managed to open the webpage using HTTPS and the browser evaluates the connection as secure. This is because for every managed domain (*.satellite.appdomain.cloud and *.containers.appdomain.cloud) IBM Cloud generates a TLS certificates. Who is the issuer of the certificate?
Correct!
Nice job!
Not exactly!
Run the ibmcloud oc ingress domain get --cluster public-services-XX --domain txc-3670-XX.us-south.satellite.appdomain.cloud command again and inspect Cert Provider field in the output.
Expose intranet website internally
In this task, you will learn how Satellite Config is set up to deploy the intranet website of TechXchange Co. to an OpenShift cluster (intranet-XX) deployed on a hybrid-cloud location (on-prem-location-XX). You will learn how to manage custom TLS certificates using IBM Cloud Secrets Manager and how to expose an application through private DNS and secure communication with your custom TLS certificate.
Inspect Satellite Config of your intranet website deployment
With the help of Satellite Config, you can easily and consistently deploy, manage, and control your applications and policies across clusters and locations. In this section you are going to learn how we set up Satellite Config to deploy the intranet website using a GitOps approach. The Kubernetes resources are located in a public GitHub repository.
The setup consists of three steps:
Creating a configuration that defines the resources to be deployed.
For this lab, we created a configuration that watches the https://github.com/ibm-satellite/ibm-techxchange-2023-3670 public GitHub repository.
Creating cluster group(s) to deploy the resources to.
We created a group of clusters that includes all your intranet-XX clusters.
Creating subscriptions to associate configuration(s) with cluster group(s).
We created a subscription to associate the GitOps configuration with the cluster group.
Here is the overall configuration:
Now, let's check the application. First, fetch the Kubernetes configuration files for the intranet-XX cluster:
Check if the intranet-website pods are running in the intranet-website namespace:
$ oc get pods -n intranet-website
Expose intranet website on the company network
TechXchange Co.'s DNS zone is txc3670.private. You are going to expose the intranet site on the intranet-XX.txc3670.private. This address has already been created for you and points to the Ingress domain of your intranet-XX cluster. Let's validate if the DNS setup is correct.
To see the Ingress domain of your intranet-XX cluster, use the following command:
$ ibmcloud oc ingress domain ls --cluster intranet-XX
Try resolving the intranet-XX.txc3670.private domain and compare the addresses:
$ dig intranet-XX.txc3670.private
All right, the DNS configuration is now verified. The next step is to deploy a TLS certificate that has been issued by TechXchange Co.'s internal CA. We already generated a certificate for your intranet-XX.txc3670.private domain and uploaded it to an IBM Cloud Secrets Manager instance.
Open https://cloud.ibm.com in Google Chrome and log in with the provided credentials.
Once logged in, select the 2579262 - itztsglenablement204 account in the account selector.
Open the resource list view from the left hand menu, then scroll down to the Security section. Open the IBM Cloud Secrets Manager instance named lab-secrets.
Go to the settings page and copy the instance CRN to the clipboard.
You will need to associate the lab-secrets Secrets Manager instance with the intranet-XX cluster. Go back to the terminal and run the following command (substitute CRN with the CRN from the clipboard):
Let's get back to the Secret Manager instance. Select the Secrets menu and find your own TLS certificate. Remember, the domain you are going to use is intranet-XX.txc3670.private, so look for that in the list.
Click on your secret to see its details. Scroll down to the bottom to find the CRN of the secret and copy it to the clipboard.
Get back to the terminal and create a Secret resource on the intranet-XX cluster using the Secrets Manager secret (substitute CRN with the CRN from the clipboard):
Let's check if the Secret resource is created in the intranet-website namespace by executing:
$ oc get secret -n intranet-website intranet-XX
At this point the DNS is verified. The secret with the TLS certificate exists on the cluster. The last step is to expose the intranet website with the OpenShift router. You can create an Ingress resource on the cluster with the appropriate configuration to achieve this.
Create a file using your favorite editor and save it as ingress.yaml with the following contents:
It is done! The intranet site should be available on the https://intranet-XX.txc3670.private domain now on the company's internal network. Open it in the browser to verify.
Quiz
We managed to open the webpage using HTTPS and the browser evaluates the connection as secure even when using a custom certificate issued by TechXchange Co.'s private CA. How is this possible?
Correct!
Nice job!
Not exactly!
The certificate chain contains a leaf certificate for intranet-XX.txc3670.private that is signed by the private CA (techxchange3670.tmp).
Not exactly!
Browsers (and operating systems) usually have a list of trusted CAs that do not include private CAs.
End of lab
Congratulations
Congratulations on completing this lab! Impressive work!
To recap what you did today:
You got familiar with IBM Cloud Satellite.
You learnt how to deploy applications with Satellite Config.
You exposed applications on your local machine for debugging purposes, publicly to the internet and privately to a secure network.
You learnt how to manage custom TLS certificates with IBM Cloud Secrets Manager.
