OpenShift install
Install StackState on OpenShift

Before you start

Before you start the installation of StackState:
  • Check that your OpenShift environment meets the requirements​
  • Request access credentials to pull the StackState Docker images from StackState support.
  • Ensure you have the OpenShift command line tools installed (oc)
  • Add the StackState helm repository to the local helm client:
1
helm repo add stackstate https://helm.stackstate.io
2
helm repo update
Copied!

Install StackState

Create project

Start by creating the project where you want to install StackState. In our walkthrough we will use the namespace stackstate:
1
oc new-project stackstate
Copied!
The project name is used in helm and kubectl commands as the namespace name in the --namespace flag

Generate values.yaml

The values.yaml file is required to deploy StackState with Helm. It contains your StackState license key, API key and other important information.
Before you continue: Make sure you have the latest version of the Helm chart with helm repo update.
The generate_values.sh script in the installation directory of the Helm chart will guide you through generating a values.yaml file that can be used to deploy StackState. You can run the generate_values.sh script in two ways:
  • Interactive mode: When the script is run without any arguments, it will guide you through the required configuration items.
    1
    ./generate_values.sh
    Copied!
  • Non-interactive mode: Run the script with the flag -n to pass configuration on the command line, this is useful for scripting.
    1
    ./generate_values.sh -n <configuration options>
    Copied!
The script requires the following configuration options:
Configuration
Flag
Description
Base URL
-b
The external URL for StackState that users and agents will use to connect. For example https://stackstate.internal. If you haven't decided on an Ingress configuration yet, use http://localhost:8080. This can be updated later in the generated file.
Username and password**
-u -p
The username and password used by StackState to pull images from quay.io/stackstate repositories.
License key
-l
The StackState license key.
Admin API password
-a
The password for the admin API. Note that this API contains system maintenance functionality and should only be accessible by the maintainers of the StackState installation. This can be omitted from the command line, the script will prompt for it.
Default password
-d
The password for the default user (admin) to access StackState's UI. This can be omitted from the command line, the script will prompt for it.
Kubernetes cluster name
-k
Option only available for plain Kubernetes installation
Store the values.yaml file somewhere safe. You can reuse this file for upgrades, which will save time and (more importantly) will ensure that StackState continues to use the same API key. This is desirable as it means agents and other data providers for StackState will not need to be updated.

Create openshift-values.yaml

Because OpenShift has stricter security model than plain Kubernetes, all of the standard security contexts in the deployment need to be disabled.
Create a Helm values file openshift-values.yaml with the following content and store it next to the generated values.yaml file. This contains the values that are needed for an OpenShift deployment.
1
backup:
2
stackGraph:
3
securityContext:
4
enabled: false
5
cluster-agent:
6
agent:
7
scc:
8
enabled: true
9
kube-state-metrics:
10
podAnnotations:
11
ad.stackstate.com/kube-state-metrics.check_names: '["kubernetes_state"]'
12
ad.stackstate.com/kube-state-metrics.init_configs: '[{}]'
13
ad.stackstate.com/kube-state-metrics.instances: '[{"kube_state_url":"http://%%host%%:%%port%%/metrics","labels_mapper":{"namespace":"kube_namespace" "label_deploymentconfig":"oshift_deployment_config","label_deployment":"oshift_deployment"},"label_joins":{"kube_pod_labels":{"label_to_match":"pod","labels_to_get":["label_deployment","label_deploymentconfig"]}}}]'
14
securityContext:
15
enabled: false
16
stackstate:
17
components:
18
all:
19
securityContext:
20
enabled: false
21
kafkaTopicCreate:
22
securityContext:
23
enabled: false
24
ui:
25
securityContext:
26
enabled: false
27
elasticsearch:
28
prometheus-elasticsearch-exporter:
29
securityContext:
30
enabled: false
31
securityContext:
32
enabled: false
33
sysctlInitContainer:
34
enabled: false
35
hbase:
36
hdfs:
37
securityContext:
38
enabled: false
39
volumePermissions:
40
enabled: false
41
hbase:
42
securityContext:
43
enabled: false
44
console:
45
securityContext:
46
enabled: false
47
tephra:
48
securityContext:
49
enabled: false
50
kafka:
51
podSecurityContext:
52
enabled: false
53
volumePermissions:
54
enabled: false
55
minio:
56
securityContext:
57
enabled: false
58
zookeeper:
59
securityContext:
60
enabled: false
Copied!

Automatically install the Cluster Agent for OpenShift

StackState has built-in support for OpenShift by means of the OpenShift StackPack. To get started quickly, the StackState installation can automate installation of this StackPack and the required Agent for the cluster that StackState itself will be installed on. This is not required and can always be done later from the StackPacks page of the StackState UI for StackState's cluster or any other OpenShift cluster.
The only required information is a name for the OpenShift cluster that will distinguish it from the other OpenShift clusters monitored by StackState. A good choice usually is the same name that is used in the kube context configuration. This will then automatically install the StackPack and install a Daemonset for the agent and a deployment for the so called cluster agent. For the full details, read the OpenShift StackPack page.
To automate this installation, the below values file can be added to the helm install command. The agent chart needs to add specific OpenShift SecurityContextConfiguration objects to the OpenShift installation.
If you're installing as an administrator on the OpenShift cluster, it is possible to automatically create this. You can configure this using the following configuration option in the values file:
Pod(s)
Config key
Description
The Agent that runs the Kubernetes checks
cluster-agent.agent.scc.enabled
This process needs to run a privileged container with direct access to the host(network) and volumes.
If you're not installing as an administrator, follow the instructions below to first install the SecurityContextConfiguration objects in OpenShift. Then ensure that you set the above configuration flag to false.
The values file that automates the installation of the OpenShift StackPack and monitoring agent is:
1
stacktate:
2
stackpacks:
3
installed:
4
- name: openshift
5
configuration:
6
openshift_cluster_name: <CLUSTER_NAME>
7
cluster-agent:
8
agent:
9
scc:
10
enabled: true
11
enabled: true
12
stackstate:
13
cluster:
14
name: <CLUSTER_NAME>
15
authToken: <RANDOM_TOKEN>
16
kube-state-metrics:
17
securityContext:
18
enabled: false
Copied!
Two placeholders in this file need to be given a value before this can be applied to the Helm installation:
  • <CLUSTER_NAME>: A name that StackState will use to identify the cluster
  • <RANDOM_TOKEN>: A 32 character random token. This can be generated by executing head -c32 < /dev/urandom | md5sum | cut -c-32
Save this as agent-values.yaml and add it to the helm install command to enable this feature.

Deploy StackState with Helm

The recommended deployment of StackState is a production ready, high availability setup with many services running redundantly. If required, it is also possible to run StackState in a non-redundant setup, where each service has only a single replica.
The non-high availability setup is only suitable for situations that do not require high availability.
High availability setup
Non-high availability setup
To deploy StackState in a high availability setup on OpenShift:
  1. 1.
    Before you deploy:
  2. 2.
    Deploy the latest StackState version to the stackstate namespace with the following command:
1
helm upgrade \
2
--install \
3
--namespace stackstate \
4
--values values.yaml \
5
--values openshift-values.yaml \
6
stackstate \
7
stackstate/stackstate
Copied!
To deploy StackState in a non-high availability setup on OpenShift:
  1. 1.
    Before you deploy:
  2. 2.
    Deploy the latest StackState version to the stackstate namespace with the following command:
1
helm upgrade \
2
--install \
3
--namespace stackstate \
4
--values values.yaml \
5
--values nonha_values.yaml \
6
--values openshift-values.yaml \
7
stackstate \
8
stackstate/stackstate
Copied!
After the install, the StackState release should be listed in the StackState namespace and all pods should be running:
1
# Check the release is listed
2
helm list --namespace stackstate
3
​
4
# Check pods are running
5
# It may take some time for all pods to be installed or available
6
kubectl get pods --namespace stackstate
Copied!

Access the StackState UI

After StackState has been deployed, you can check if all pods are up and running:
1
kubectl get pods --namespace stackstate
Copied!
When all pods are up, you can enable a port-forward:
1
kubectl port-forward service/stackstate-router 8080:8080 --namespace stackstate
Copied!
StackState will now be available in your browser at https://localhost:8080. Log in with the username admin and the default password provided in the values.yaml file.
Next steps are

Manually create SecurityContextConfiguration objects

If you cannot use an administrator account to install StackState on OpenShift, ask your administrator to apply the below SecurityContextConfiguration objects.

Cluster Agent

If you want to monitor the OpenShift cluster using the OpenShift StackPack and Cluster Agent, the below SecurityContextConfiguration needs to be applied:
1
allowHostDirVolumePlugin: true
2
allowHostIPC: true
3
allowHostNetwork: true
4
allowHostPID: true
5
allowHostPorts: true
6
allowPrivilegeEscalation: true
7
allowPrivilegedContainer: true
8
allowedCapabilities: []
9
allowedUnsafeSysctls:
10
- '*'
11
apiVersion: security.openshift.io/v1
12
defaultAddCapabilities: null
13
fsGroup:
14
type: MustRunAs
15
groups: []
16
kind: SecurityContextConstraints
17
metadata:
18
name: stackstate-agent-scc
19
priority: null
20
readOnlyRootFilesystem: false
21
requiredDropCapabilities: null
22
runAsUser:
23
type: MustRunAsRange
24
seLinuxContext:
25
type: RunAsAny
26
seLinuxOptions:
27
user: "system_u"
28
role: "system_r"
29
type: "spc_t"
30
level: "s0"
31
seccompProfiles: []
32
supplementalGroups:
33
type: RunAsAny
34
users:
35
volumes:
36
- configMap
37
- downwardAPI
38
- emptyDir
39
- hostPath
40
- secret
Copied!
Save this file as agent-scc.yaml and apply it as an administrator of the OpenShift cluster using the following command:
1
oc apply -f agent-scc.yaml
Copied!
After this file is applied, execute the following command as administrator to grant the service account access to this SecurityContextConfiguration object:
1
> oc adm policy add-scc-to-user stackstate-agent-scc system:serviceaccount:stackstate:stackstate-cluster-agent-agent
Copied!

See also

Last modified 11d ago