OpenShift install
SUSE Observability Self-hosted
Before you start
Before you start the installation of SUSE Observability:
Check that your OpenShift environment meets the requirements
Ensure you have the OpenShift command line tools installed (
oc)Add the SUSE Observability helm repository to the local helm client:
helm repo add suse-observability https://charts.rancher.com/server-charts/prime/suse-observability
helm repo updateInstall SUSE Observability
Create project
Start by creating the project where you want to install SUSE Observability. In our walkthrough we will use the namespace suse-observability:
oc new-project suse-observabilityGenerate baseConfig_values.yaml and sizing_values.yaml
baseConfig_values.yaml and sizing_values.yamlThe baseConfig_values.yaml file is required to deploy StackState with Helm. It contains your StackState license key, StackState Receiver API key and other important information.
The sizing_values.yaml file is recommended to deploy StackState with Helm as it contains information about the resources that StackState will be provisioned with according to the size on the landscape you want to observe.
The SUSE Observability baseConfig_values.yaml and sizing_values.yaml files can be generated by running a separate Helm Chart, the suse-observability/suse-observability-values chart. A sample command line is:
export VALUES_DIR=.
helm template \
--set license='<your license>' \
--set baseUrl='<suse-observability-base-url>' \
--set sizing.profile='<sizing.profile>' \
suse-observability-values \
suse-observability/suse-observability-values --output-dir $VALUES_DIRThis command will generate a $VALUES_DIR/suse-observability-values/templates/baseConfig_values.yaml and a $VALUES_DIR/suse-observability-values/templates/sizing_values.yaml file which contains the necessary configuration for installing the SUSE Observability Helm Chart.
The values that can be passed to this chart are:
Basic Config generate
basicConfig.generate
Switch on or off the generation of the basicConfig_values.yaml file.
Receiver API Key
receiverApiKey
The API key used by SUSE Observability to receive data from agents. This is a secret key that should be kept private. If you omit this, a random key will be generated for you.
Base URL
baseUrl
The <STACKSTATE_BASE_URL>. The external URL for SUSE Observability that users and agents will use to connect. For example https://suse-observability.internal. If you haven't decided on an Ingress configuration yet, use http://localhost:8080. This can be updated later in the generated file.
Username and password**
-u -p
The username and password used by SUSE Observability to pull images. For air-gapped environments these need to be the username and password for the local docker registry.
License key
license
The SUSE Observability license key.
Default password
adminPassword
The password for the default user (admin) to access SUSE Observability's UI. If you omit this, a random password will be generated for you. If you do pass this value and it's not bcrypt hashed, the chart will hash it for you.
Image Registry
imageRegistry
The registry where the SUSE Observability images are hosted. If not provided, the default value will be 'quay.io'
Pull Secret Username
pullSecret.username
The username used to pull images from the Docker registry where the SUSE Observability images are hosted.
Pull Secret Password
pullSecret.password
The password used to pull images from the Docker registry where the SUSE Observability images are hosted.
Sizing generate
sizing.generate
Switch on or off the generation of the sizing_values.yaml file.
Sizing profile
sizing.profile
OneOf 10-nonha, 20-nonha, 50-nonha, 100-nonha, 150-ha, 250-ha, 500-ha. Based on this profiles the sizing_values.yaml file is generated containing default sizes for the SUSE Observability resources and configuration to be deployed on an Ha or NonHa mode. E.g. 10-nonha will produce a sizing_values.yaml meant to deploy a NonHa SUSE Observability instance to observe a 10 node cluster in a Non High Available mode. Currently moving from a nonha to an ha environment is not possible, so if you expect that your environment willrequire to observe around 150 nodes then better to go with ha immediately.
Create openshift-values.yaml
openshift-values.yamlBecause OpenShift has stricter security model than plain Kubernetes, all of the standard security contexts in the deployment need to be disabled.
Create a Helm values file openshift-values.yaml with the following content and store it next to the generated values.yaml file. This contains the values that are needed for an OpenShift deployment.
elasticsearch:
prometheus-elasticsearch-exporter:
podSecurityContext: ""
sysctlInitContainer:
enabled: false
scc:
enabled: true
clickhouse:
podSecurityContext:
enabled: false
containerSecurityContext:
enabled: falseDeploy SUSE Observability with Helm
The recommended deployment of SUSE Observability is a production ready, high availability setup with many services running redundantly. If required, it's also possible to run SUSE Observability in a non-redundant setup, where each service has only a single replica. This setup is only recommended for a test environment.
For air-gapped environments follow the instructions for the air-gapped installations.
To deploy SUSE Observability in a high availability setup on OpenShift:
Deploy the latest SUSE Observability version to the
suse-observabilitynamespace with the following command:
helm upgrade \
--install \
--namespace suse-observability \
--values $VALUES_DIR/suse-observability-values/templates/baseConfig_values.yaml \
--values $VALUES_DIR/suse-observability-values/templates/sizing_values.yaml \
--values openshift-values.yaml \
--set "clickhouse.sidecars[0].securityContext.runAsUser=null" \
suse-observability \
suse-observability/suse-observabilityAfter the install, the SUSE Observability release should be listed in the SUSE Observability namespace and all pods should be running:
# Check the release is listed
helm list --namespace suse-observability
# Check pods are running
# It may take some time for all pods to be installed or available
kubectl get pods --namespace suse-observabilityAccess the SUSE Observability UI
After SUSE Observability has been deployed, you can check if all pods are up and running:
kubectl get pods --namespace suse-observabilityWhen all pods are up, you can enable a port-forward:
kubectl port-forward service/suse-observability-router 8080:8080 --namespace suse-observabilitySUSE Observability will now be available in your browser at https://localhost:8080. Log in with the username admin and the default password provided in the values.yaml file.
Next steps are
Give your co-workers access.
Manually create SecurityContextConfiguration objects
SecurityContextConfiguration objectsIf you can't use an administrator account to install SUSE Observability on OpenShift, ask your administrator to apply the below SecurityContextConfiguration objects.
apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
name: {{ template "common.fullname.short" . }}-{{ .Release.Namespace }}
labels:
{{- include "common.labels.standard" . | nindent 4 }}
annotations:
helm.sh/hook: pre-install
suse-observability.io/note: "Ignored by helm uninstall, has to be deleted manually"
fsGroup:
type: RunAsAny
groups:
- system:serviceaccounts:{{ .Release.Namespace }}
runAsUser:
type: RunAsAny
seLinuxContext:
type: MustRunAs
supplementalGroups:
type: RunAsAny
volumes:
- configMap
- downwardAPI
- emptyDir
- ephemeral
- persistentVolumeClaim
- projected
- secret
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: false
readOnlyRootFilesystem: falseSee also
For other configuration and management options, refer to the Kubernetes documentation - manage a SUSE Observability Kubernetes installation
Last updated