RHIDP-1923 - GKE: Document how RHDH can be installed in GKE

Gerry-Forde · Gerry-Forde · commit cec97defb5dc · 2024-11-19T15:46:31.000Z
diff --git a/modules/installation/proc-deploy-rhdh-instance-gke.adoc b/modules/installation/proc-deploy-rhdh-instance-gke.adoc
@@ -8,11 +8,11 @@
 .Prerequisites
 
 * A cluster administrator has installed the {product} Operator.
-* You have an {eks-short} cluster with {aws-short} Application Load Balancer (ALB) add-on installed. For more information, see https://docs.aws.amazon.com/eks/latest/userguide/alb-ingress.html[Application load balancing on {eks-brand-name}] and https://docs.aws.amazon.com/eks/latest/userguide/aws-load-balancer-controller.html[Installing the AWS Load Balancer Controller add-on].
-* You have configured a domain name for your {product-short} instance. The domain name can be a hosted zone entry on Route 53 or managed outside of AWS. For more information, see https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-configuring.html[Configuring Amazon Route 53 as your DNS service] documentation.
-* You have an entry in the {aws-short} Certificate Manager (ACM) for your preferred domain name. Make sure to keep a record of your Certificate ARN.
+//* You have an {eks-short} cluster with {aws-short} Application Load Balancer (ALB) add-on installed. For more information, see https://docs.aws.amazon.com/eks/latest/userguide/alb-ingress.html[Application load balancing on {eks-brand-name}] and https://docs.aws.amazon.com/eks/latest/userguide/aws-load-balancer-controller.html[Installing the AWS Load Balancer Controller add-on].
+//* You have configured a domain name for your {product-short} instance. The domain name can be a hosted zone entry on Route 53 or managed outside of AWS. For more information, see https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-configuring.html[Configuring Amazon Route 53 as your DNS service] documentation.
+//* You have an entry in the {aws-short} Certificate Manager (ACM) for your preferred domain name. Make sure to keep a record of your Certificate ARN.
 * You have subscribed to `registry.redhat.io`. For more information, see https://access.redhat.com/RegistryAuthentication[{company-name} Container Registry Authentication].
-* You have set the context to the {eks-short} cluster in your current `kubeconfig`. For more information, see https://docs.aws.amazon.com/eks/latest/userguide/create-kubeconfig.html[Creating or updating a kubeconfig file for an Amazon {eks-short} cluster].
+//* You have set the context to the {eks-short} cluster in your current `kubeconfig`. For more information, see https://docs.aws.amazon.com/eks/latest/userguide/create-kubeconfig.html[Creating or updating a kubeconfig file for an Amazon {eks-short} cluster].
 * You have installed `kubectl`. For more information, see https://docs.aws.amazon.com/eks/latest/userguide/install-kubectl.html[Installing or updating kubectl].
 
 .Procedure
@@ -29,18 +29,18 @@ metadata:
 data:
   "app-config-rhdh.yaml": |
     app:
-      title: {product}
-      baseUrl: https://<rhdh_dns_name>
+      title: Red Hat Developer Hub
+      baseUrl: https://<rhdh_domain_name>
     backend:
       auth:
         externalAccess:
             - type: legacy
               options:
                 subject: legacy-default-config
                 secret: "${BACKEND_SECRET}"
-      baseUrl: https://<rhdh_dns_name>
+      baseUrl: https://<rhdh_domain_name>
       cors:
-        origin: https://<rhdh_dns_name>
+        origin: https://<rhdh_domain_name>
 ----
 --
 
@@ -107,6 +107,89 @@ spec:
 ----
 --
 
+. Set up a Google-managed certificate by creating a `ManagedCertificate` object that you will later attach to the Ingress.
++
+--
+[source,yaml,subs="attributes+"]
+----
+apiVersion: networking.gke.io/v1
+kind: ManagedCertificate
+metadata:
+  name: <rhdh_certificate_name>
+spec:
+  domains:
+    - <rhdh_domain_name>
+----
+--
+For more information about setting up a Google-managed certificate, see https://cloud.google.com/kubernetes-engine/docs/how-to/managed-certs?hl=en#setting_up_a_google-managed_certificate 
+
+. Create a `FrontendConfig` object to set a policy for redirecting to HTTPS. You will later attach this policy to the Ingress. 
++
+--
+[source,yaml,subs="attributes+"]
+----
+apiVersion: networking.gke.io/v1beta1
+kind: FrontendConfig
+metadata:
+  name: <ingress_security_config>
+spec:
+  sslPolicy: gke-ingress-ssl-policy-https
+  redirectToHttps:
+    enabled: true
+----
+--
+For more information about setting a policy to redirect to HTTPS, see https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-configuration?hl=en#https_redirect
+
+. Create an Ingress resource using the following template, customizing the names as needed:
++
+--
+[source,yaml,subs="attributes+"]
+----
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  # TODO: this the name of your Developer Hub Ingress
+  name: my-rhdh
+  annotations:
+    # If the class annotation is not specified it defaults to "gce".
+    kubernetes.io/ingress.class: "gce"
+    kubernetes.io/ingress.global-static-ip-name: <ADDRESS_NAME>
+    networking.gke.io/managed-certificates: <rhdh_certificate_name>
+    networking.gke.io/v1beta1.FrontendConfig: <ingress_security_config>
+spec:
+  ingressClassName: gce
+  rules:
+    # TODO: Set your application domain name.
+    - host: <rhdh_domain_name>
+      http:
+        paths:
+        - path: /
+          pathType: Prefix
+          backend:
+            service:
+              # TODO: my-rhdh is the name of your Backstage Custom Resource.
+              # Adjust if you changed it!
+              name: backstage-my-rhdh
+              port:
+                name: http-backend
+----
+--
+
+. Wait for the `ManagedCertificate` to be provisioned. This can take a couple of hours.
+
+. Access RHDH with `https://<rhdh_domain_name>`
++
+[IMPORTANT]
+Use the HTTPS protocol, not HTTP.
+
+.Additional information
+For more information on setting up GKE using Ingress with TLS, see https://github.com/GoogleCloudPlatform/gke-networking-recipes/tree/main/ingress/single-cluster/ingress-https 
+
+For more information on setting up GKE with LoadBalancer instead of Ingress, see https://github.com/sumiranchugh/rhdh-gke-poc/tree/main 
+
+
+
+////
 . Create an Ingress resource using the following template, ensuring to customize the names as needed:
 +
 --
@@ -156,3 +239,4 @@ In the previous template, replace ` <rhdh_dns_name>` with your {product-short} d
 .Verification
 
 Wait until the DNS name is responsive, indicating that your {product-short} instance is ready for use.
+////
diff --git a/modules/installation/proc-rhdh-deploy-gke-helm.adoc b/modules/installation/proc-rhdh-deploy-gke-helm.adoc
@@ -4,17 +4,17 @@
 [id='proc-rhdh-deploy-gke-helm_{context}']
 = Installing {product-short} on {gke-short} with the Helm chart
 
-When you install the {product-short} Helm chart in {gke-name} ({gke-short}), it orchestrates the deployment of a {product-short} instance, which provides a robust developer platform within the {aws-short} ecosystem.
+When you install the {product-short} Helm chart in {gke-name} ({gke-short}), it orchestrates the deployment of a {product-short} instance, which provides a robust developer platform within the {gke-short} ecosystem.
 
 .Prerequisites
 
-* You have an {eks-short} cluster with AWS Application Load Balancer (ALB) add-on installed. For more information, see https://docs.aws.amazon.com/eks/latest/userguide/alb-ingress.html[Application load balancing on Amazon {product-short}] and https://docs.aws.amazon.com/eks/latest/userguide/aws-load-balancer-controller.html[Installing the AWS Load Balancer Controller add-on].
-* You have configured a domain name for your {product-short} instance. The domain name can be a hosted zone entry on Route 53 or managed outside of AWS. For more information, see https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-configuring.html[Configuring Amazon Route 53 as your DNS service] documentation.
-* You have an entry in the AWS Certificate Manager (ACM) for your preferred domain name. Make sure to keep a record of your Certificate ARN.
+//* You have an {eks-short} cluster with AWS Application Load Balancer (ALB) add-on installed. For more information, see https://docs.aws.amazon.com/eks/latest/userguide/alb-ingress.html[Application load balancing on Amazon {product-short}] and https://docs.aws.amazon.com/eks/latest/userguide/aws-load-balancer-controller.html[Installing the AWS Load Balancer Controller add-on].
+//* You have configured a domain name for your {product-short} instance. The domain name can be a hosted zone entry on Route 53 or managed outside of AWS. For more information, see https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-configuring.html[Configuring Amazon Route 53 as your DNS service] documentation.
+//* You have an entry in the AWS Certificate Manager (ACM) for your preferred domain name. Make sure to keep a record of your Certificate ARN.
 * You have subscribed to `registry.redhat.io`. For more information, see https://access.redhat.com/RegistryAuthentication[{company-name} Container Registry Authentication].
-* You have set the context to the {eks-short} cluster in your current `kubeconfig`. For more information, see https://docs.aws.amazon.com/eks/latest/userguide/create-kubeconfig.html[Creating or updating a kubeconfig file for an Amazon {eks-short} cluster].
+//* You have set the context to the {eks-short} cluster in your current `kubeconfig`. For more information, see https://docs.aws.amazon.com/eks/latest/userguide/create-kubeconfig.html[Creating or updating a kubeconfig file for an Amazon {eks-short} cluster].
 * You have installed `kubectl`. For more information, see https://docs.aws.amazon.com/eks/latest/userguide/install-kubectl.html[Installing or updating kubectl].
-* You have installed Helm 3 or the latest. For more information, see https://docs.aws.amazon.com/eks/latest/userguide/helm.html[Using Helm with Amazon {eks-short}].
+//* You have installed Helm 3 or the latest. For more information, see https://docs.aws.amazon.com/eks/latest/userguide/helm.html[Using Helm with Amazon {eks-short}].
 
 .Procedure
 
@@ -32,67 +32,77 @@ helm repo add openshift-helm-charts https://charts.openshift.io/
 --
 [source,terminal]
 ----
-kubectl create secret docker-registry rhdh-pull-secret \
+kubectl -n <your-namespace> create secret docker-registry rhdh-pull-secret \ <1>
     --docker-server=registry.redhat.io \
-    --docker-username=<user_name> \ <1>
-    --docker-password=<password> \ <2>
-    --docker-email=<email> <3>
+    --docker-username=<user_name> \ <2>
+    --docker-password=<password> \ <3>
+    --docker-email=<email> <4>
 ----
-<1> Enter your username in the command.
-<2> Enter your password in the command.
-<3> Enter your email address in the command.
+<1> Enter your GKE namespace in the command.
+<2> Enter your username in the command.
+<3> Enter your password in the command.
+<4> Enter your email address in the command.
 
 The created pull secret is used to pull the {product-short} images from the {company-name} Ecosystem.
 --
 
-. Create a file named `values.yaml` using the following template:
+. Set up a Google-managed certificate by creating a `ManagedCertificate` object that you will later attach to the Ingress.
 +
+--
 [source,yaml,subs="attributes+"]
 ----
-global:
-  # TODO: Set your application domain name.
-  host: <your {product-short} domain name>
+apiVersion: networking.gke.io/v1
+kind: ManagedCertificate
+metadata:
+  name: <rhdh_certificate_name>
+spec:
+  domains:
+    - <rhdh_domain_name>
+----
+--
+For more information about setting up a Google-managed certificate, see https://cloud.google.com/kubernetes-engine/docs/how-to/managed-certs?hl=en#setting_up_a_google-managed_certificate 
 
+. Create a `FrontendConfig` object to set a policy for redirecting to HTTPS. You will later attach this policy to the Ingress. 
++
+--
+[source,yaml,subs="attributes+"]
+----
+apiVersion: networking.gke.io/v1beta1
+kind: FrontendConfig
+metadata:
+  name: <ingress_security_config>
+spec:
+  sslPolicy: gke-ingress-ssl-policy-https
+  redirectToHttps:
+    enabled: true
+----
+--
+For more information about setting a policy to redirect to HTTPS, see https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-configuration?hl=en#https_redirect
 
+. Create a file named `values.yaml` using the following template:
++
+[source,yaml,subs="attributes+"]
+----
+global:
+  host: <rhdh_domain_name>
 route:
   enabled: false
-
-
 upstream:
   service:
-    # NodePort is required for the ALB to route to the Service
     type: NodePort
-
-
   ingress:
     enabled: true
     annotations:
-      kubernetes.io/ingress.class: alb
-
-
-      alb.ingress.kubernetes.io/scheme: internet-facing
-
-
-      # TODO: Using an ALB HTTPS Listener requires a certificate for your own domain. Fill in the ARN of your certificate, e.g.:
-      alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:xxx:xxxx:certificate/xxxxxx
-
-
-      alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
-
-
-      alb.ingress.kubernetes.io/ssl-redirect: '443'
-
-
-      # TODO: Set your application domain name.
-      external-dns.alpha.kubernetes.io/hostname: <your rhdh domain name>
-
-
+      kubernetes.io/ingress.class: gce
+      kubernetes.io/ingress.global-static-ip-name: <ADDRESS_NAME>
+      networking.gke.io/managed-certificates: <rhdh_certificate_name>
+      networking.gke.io/v1beta1.FrontendConfig: <ingress_security_config>
+    className: gce
   backstage:
     image:
       pullSecrets:
       - rhdh-pull-secret
     podSecurityContext:
-      # you can assign any random value as fsGroup
       fsGroup: 2000
   postgresql:
     image:
@@ -101,7 +111,6 @@ upstream:
     primary:
       podSecurityContext:
         enabled: true
-        # you can assign any random value as fsGroup
         fsGroup: 3000
   volumePermissions:
     enabled: true
@@ -110,16 +119,43 @@ upstream:
 +
 [source,terminal,subs="attributes+"]
 ----
-helm install rhdh \
+helm -n <your_namespace> install -f values.yaml <your_deploy_name> \
   openshift-helm-charts/redhat-developer-hub \
-  [--version {product-chart-version}] \
-  --values /path/to/values.yaml
+  --version {product-chart-version}
+----
++
+For the latest Helm Chart version, see https://github.com/openshift-helm-charts/charts/tree/main/charts/redhat/redhat/redhat-developer-hub
++
+It takes some time to deploy it, check if the deployment completed use this command
++
+[source,terminal,subs="attributes+"]
+----
+kubectl get deploy <you_deploy_name>-developer-hub -n <your_namespace>
 ----
 
-[NOTE]
-====
-For the latest chart version, see https://github.com/openshift-helm-charts/charts/tree/main/charts/redhat/redhat/redhat-developer-hub
-====
+. Verify that the service and ingress were created
++
+[source,terminal,subs="attributes+"]
+----
+kubectl get service -n <your_namespace>
+kubectl get ingress -n <your_namespace>
+----
+
+. Wait for the `ManagedCertificate` to be provisioned. This can take a couple of hours.
+
+. Access RHDH with `https://<rhdh_domain_name>`
++
+[IMPORTANT]
+Use the HTTPS protocol, not HTTP.
+
+. To upgrade or delete your deployment use (mind the –version)
++
+[source,terminal,subs="attributes+"]
+----
+helm -n <your_namespace> upgrade -f values.yaml <your_deploy_name> openshift-helm-charts/redhat-developer-hub --version 1.3.0
+
+helm -n <your_namespace> delete <your_deploy_name>
+----
 
 .Verification
 
