Merge pull request #22 from devsecops-workshop/webterminal

Webterminal

Author: goetzrieger

content/10-rhacs-setup/_index.md

@@ -88,13 +88,24 @@ Now create a new Integration:
 
 First you have to generate an init bundle which contains certificates and is used to authenticate a **SecuredCluster** to the **Central** instance, again regardless if it's the same cluster as the Central instance or a remote/other cluster.
 
-In the **ACS Portal**:
+We are using the API to create the init bundle in this workshop. For the steps to create the init bundle in the ACS Portal see the appendix.
 
-- Navigate to **Platform Configuration → Integrations**.
-- Under the **Authentication Tokens** section, click on **Cluster Init Bundle**.
-- Click **Generate bundle**
-- Enter a name for the cluster init bundle and click **Generate**.
-- Click **Download Kubernetes Secret File** to download the generated bundle.
+Creating the init bundle using the **API** on the commandline:
+
+TODO: explain
+
+``` bash
+#Export ACS central instance endpoint
+export ROX_ENDPOINT=<central_url:443>
+# Export bundle-name
+export DATA={\"name\":\"<bundle name>\"}
+# Export ACS admin password
+export PASSWORD=<password>
+
+curl -k -o bundle.json -X POST -u "admin:$PASSWORD" -H "Content-Type: application/json" --data $DATA https://${ROX_ENDPOINT}/v1/cluster-init/init-bundles
+
+cat bundle.json | jq -r '.kubectlBundle'  | base64 -d > kube-secrets.bundle
+```
 
 The init bundle needs to be applied on all OpenShift clusters you want to secure & monitor.
 
@@ -104,11 +115,10 @@ For this workshop we run **Central** and **SecuredCluster** on one OpenShift clu
 
 **Apply the init bundle**
 
-- Use the `oc` command to log in to the OpenShift cluster as `cluster-admin`.
-  - The easiest way might be to use the **Copy login command** link from the UI
-- Switch to the **Project** you installed **ACS Central** in, it should be `stackrox`.
-- Run `oc create -f <init_bundle>.yaml -n stackrox` pointing to the init bundle you downloaded from the Central instance and the Project you created.
-- This will create a number of secrets:
+- Open a web terminal
+- Use the `oc` command to switch to the **Project** you installed **ACS Central** in, it should be `stackrox`.
+- Run `oc create -f > kube-secrets.bundle -n stackrox` pointing to the init bundle you downloaded from the Central instance or created via the API as above.
+- This will create a number of secrets, the output should be:
 
 ```
 secret/collector-tls created

content/2-prepare-cluster/_index.md

@@ -30,13 +30,42 @@ After the operator has been installed it will inform you to install a `StorageSy
 You'll see a review of your settings, hit `Create StorageSystem`
 
 {{% notice tip %}}
-Don't worry if you see a _404 Page_. The ODF Operator has just extended the OpenShift Console which may no be availabe in your current view. Just relead the browser page once and your will see the System Overview
+Don't worry if you see a _404 Page_. The ODF Operator has just extended the OpenShift Console which may no be availabe in your current view. Just reload the browser page once and your will see the System Overview
 {{% /notice %}}
 
 {{< figure src="../images/odf-systems.png?width=50pc&classes=border,shadow" title="Click image to enlarge" >}}
 
 As mentioned already this takes some time so go ahead and install the other prerequisites. We'll come back later.
 
+## Prepare to run oc commands
+
+You will be asked to run `oc` (the OpenShift commandline tool) commands a couple of times. We will do this by using the **OpenShift Web Terminal**. This is the easiest way because you don't have to install `oc` or an SSH client.
+
+### Install OpenShift Web Terminal
+
+To extend OpenShift with the Web Terminal option, install the **Web Terminal** operator:
+
+- Login to the OpenShift Webconsole with you cluster admin credentials
+- In the Web Console, go to **Operators > OperatorHub** and search for the **Web Terminal** operator
+- Install the operator with default settings
+
+This will take some time and installs another operator as dependency.
+
+After the operator has installed, reload the OCP Web Console browser window. You will now have a new button (**>_**) in the upper right. Click it to start a new web terminal. From here you can run the `oc` commands when the lab guide requests it (copy/paste might depend on your laptop OS and browser settings, e.g. try `Ctrl-Shift-V` for pasting).
+
+{{< figure src="../images/web-terminal.png?width=50pc&classes=border,shadow" title="Click image to enlarge" >}}
+
+{{% notice warning %}}
+The terminal is not persistent, so if it was closed for any reason anything you did in the terminal is gone after re-opening.
+{{% /notice %}}
+
+If for any reason you can't use the webterminal, your options are:
+
+- Install and run `oc` on your laptop
+- SSH into the bastion host, if running on a Red Hat RHDP lab environment. From here you can just run `oc` without login.
+
+TODO: Change yaml applies to direct git download
+
 ## Install and Prepare Gitea
 
 We'll need Git repository services to keep our app and infrastructure source code, so let's just install trusted `Gitea` using an operator:

content/20-appendix/_index.md

@@ -3,6 +3,20 @@ title = "Appendix"
 weight = 45
 +++
 
+## Create ACS init bundle in ACS Portal
+
+Creating the init bundle using the **ACS Portal**:
+
+- Navigate to **Platform Configuration → Integrations**.
+- Under the **Authentication Tokens** section, click on **Cluster Init Bundle**.
+- Click **Generate bundle**
+- Enter a name for the cluster init bundle and click **Generate**.
+- Click **Download Kubernetes Secret File** to download the generated bundle.
+
+{{% notice warning %}}
+If you are running `oc` on your laptop, you are set. If you are SSH-ing to another host (like the bastion host) to run `oc`, you have to scp the init bundle file over there. If you are using the **OpenShift Web Terminal** you have to use the API method.
+{{% /notice %}}
+
 ## Create a serviceaccount to scan the internal OpenShift registry
 
 The integrations to the internal registry were created automatically. But to enable scanning of images in the internal registry, you'll have to configure valid credentials, so this is what you'll do: