OpenShift install

Search…
StackState version 4.2 (EOL)
OpenShift install
install StackState on OpenShift
This page describes StackState version 4.2.
The StackState 4.2 version range is End of Life (EOL) and no longer supported. We encourage customers still running the 4.2 version range to upgrade to a more recent release.
Go to the documentation for the latest StackState release.
Before you start
Before you start the installation of StackState:
Check that your OpenShift environment meets the requirements​
Request access credentials to pull the StackState Docker images from StackState support.
Ensure you have the OpenShift command line tools installed (oc)
Add the StackState helm repository to the local helm client:
1
helm repo add stackstate https://helm.stackstate.io
2
helm repo update
Copied!
Install StackState
1.​Create the project where StackState will be installed​
2.​Generate the values.yaml file​
3.​Additional OpenShift values file​
4.​Automatically install the Cluster Agent for OpenShift​
5.​Deploy StackState with Helm​
6.​Access the StackState UI​
7.​Manually create SecurityContextConfiguration objects​
Create project
Start by creating the project where you want to install StackState. In our walkthrough we will use the namespace stackstate:
1
oc new-project stackstate
Copied!
The project name is used in helm and kubectl commands as the namespace name in the --namespace flag
Generate values.yaml
The values.yaml is required to deploy StackState with Helm. It contains your StackState license key, API key and other important information. The generate_values.sh script in the installation directory of the Helm chart will guide you through generating the file.
Before you continue: If you didn't already, make sure you have the latest version of the Helm chart with helm repo update.
You can run the generate_values.sh script in two ways:
Interactive mode: When the script is run without any arguments, it will guide you through the required configuration items.
1
./generate_values.sh
Copied!
Non-interactive mode: Run the script with the flag -n to pass configuration on the command line, this is useful for scripting.
1
./generate_values.sh -n <configuration options>
Copied!
The script requires the following configuration options:
Configuration
Flag
Description
Base URL
-b
The external URL for StackState that users and agents will use to connect. For example https://stackstate.internal. If you haven't decided on an Ingress configuration yet, use http://localhost:8080. This can be updated later in the generated file.
Username and password**
-u -p
The username and password used by StackState to pull images from quay.io/stackstate repositories.
License key
-l
The StackState license key.
Admin API password
-a
The password for the admin API. Note that this API contains system maintenance functionality and should only be accessible by the maintainers of the StackState installation. This can be omitted from the command line, the script will prompt for it.
Default password
-d
The password for the default user (admin) to access StackState's UI. This can be omitted from the command line, the script will prompt for it.
Kubernetes cluster name
-k
Option only available for plain Kubernetes installation
For OpenShift install, follow the instructions to Automatically install the Cluster Agent.
​
​
The generated file is suitable for a production setup (i.e. redundant storage services). It is also possible to create smaller deployments for test setups, see development setup.
Store the values.yaml file somewhere safe. You can reuse this file for upgrades, which will save time and (more importantly) will ensure that StackState continues to use the same API key. This is desirable as it means agents and other data providers for StackState will not need to be updated.
Additional OpenShift values file
Because OpenShift has stricter security model than plain Kubernetes, all of the standard security contexts in the deployment need to be disabled. Furthermore, the StackState installation needs to add specific OpenShift SecurityContextConfiguration objects to the OpenShift installation.
If you're installing using an administrator account it is possible to automatically create these as needed.
Pod(s)
Config key
Description
The HBase HDFS namenodes
hbase.hdfs.scc.enabled
For the clients to write to the store, the HDFS processes require permissions to run chmod on their volumes and need to run with a specific (pre-known) UID.
If you're not using an administrator account, please follow the instructions below to first install the SecurityContextConfiguration objects in OpenShift. After that install the StackState Helm chart with the above flag set to false.
The values that are needed for an OpenShift deployment are:
1
stackstate:
2
  components:
3
    all:
4
      securityContext:
5
        enabled: false
6
    kafkaTopicCreate:
7
      securityContext:
8
        enabled: false
9
    ui:
10
      securityContext:
11
        enabled: false
12
elasticsearch:
13
  securityContext:
14
    enabled: false
15
  sysctlInitContainer:
16
    enabled: false
17
kafka:
18
  podSecurityContext:
19
    enabled: false
20
  volumePermissions:
21
    enabled: false
22
hbase:
23
  hdfs:
24
    scc:
25
      enabled: true
26
    securityContext:
27
      enabled: true
28
    volumePermissions:
29
      enabled: true
30
      securityContext:
31
        enabled: true
32
        privileged: false
33
  hbase:
34
    securityContext:
35
      enabled: false
36
  console:
37
    securityContext:
38
      enabled: false
39
  tephra:
40
    securityContext:
41
      enabled: false
42
zookeeper:
43
  securityContext:
44
    enabled: false
Copied!
Store this file next to the generated values.yaml file and name it openshift-values.yaml.
Automatically install the Cluster Agent for OpenShift
StackState has built-in support for OpenShift by means of the OpenShift StackPack. To get started quickly, the StackState installation can automate installation of this StackPack and the required Agent for the cluster that StackState itself will be installed on. This is not required and can always be done later from the StackPacks page of the StackState UI for StackState's cluster or any other OpenShift cluster.
The only required information is a name for the OpenShift cluster that will distinguish it from the other OpenShift clusters monitored by StackState. A good choice usually is the same name that is used in the kube context configuration. This will then automatically install the StackPack and install a Daemonset for the agent and a deployment for the so called cluster agent. For the full details, please read the OpenShift StackPack page.
To automate this installation, the below values file can be added to the helm install command. The agent chart also needs an additional SecurityContextConfiguration on OpenShift.
If you're installing as an administrator on the OpenShift cluster, it is possible to automatically create this. You can configure this using the following configuration option in the values file:
Pod(s)
Config key
Description
The Agent that runs the Kubernetes checks
cluster-agent.agent.scc.enabled
This process needs to run a privileged container with direct access to the host(network) and volumes.
If you're not installing as an administrator, please follow the instructions below to first install the SecurityContextConfiguration objects in OpenShift. Then ensure that you set the above configuration flag to false.
The values file that automates the installation of the OpenShift StackPack and monitoring agent is:
1
stacktate:
2
  stackpacks:
3
    installed:
4
      - name: openshift
5
        configuration:
6
          openshift_cluster_name: <CLUSTER_NAME>
7
cluster-agent:
8
  agent:
9
    scc:
10
      enabled: true
11
  enabled: true
12
  stackstate:
13
    cluster:
14
      name: <CLUSTER_NAME>
15
      authToken: <RANDOM_TOKEN>
16
  kube-state-metrics:
17
    podAnnotations:
18
      ad.stackstate.com/kube-state-metrics.check_names: '["kubernetes_state"]'
19
      ad.stackstate.com/kube-state-metrics.init_configs: '[{}]'
20
      ad.stackstate.com/kube-state-metrics.instances: '[{"kube_state_url":"http://%%host%%:%%port%%/metrics","labels_mapper":{"namespace":"kube_namespace","label_deploymentconfig":"oshift_deployment_config","label_deployment":"oshift_deployment"},"label_joins":{"kube_pod_labels":{"label_to_match":"pod","labels_to_get":["label_deployment","label_deploymentconfig"]}}}]'
21
    securityContext:
22
      enabled: false
Copied!
Two placeholders in this file need to be given a value before this can be applied to the Helm installation:
<CLUSTER_NAME>: A name that StackState will use to identify the cluster
<RANDOM_TOKEN>: A 32 character random token. This can be generated by executing head -c32 < /dev/urandom | md5sum | cut -c-32
Save this as agent-values.yaml and add it to the helm install command to enable this feature.
Deploy StackState with Helm
Use the generated values.yaml and copied openshift-values.yaml file to deploy the latest StackState version to the stackstate namespace with the command below. If you want to automatically install the Cluster Agent for OpenShift, you will also require the agent-values.yaml created in the previous step:
1
helm upgrade \
2
  --install \
3
  --namespace stackstate \
4
  --values values.yaml \
5
  --values openshift-values.yaml \
6
stackstate \
7
stackstate/stackstate
Copied!
After the install, the StackState release should be listed in the StackState namespace and all pods should be running:
1
# Check the release is listed
2
helm list --namespace stackstate
3
​
4
# Check pods are running
5
# It may take some time for all pods to be installed or available
6
kubectl get pods --namespace stackstate
Copied!
Access the StackState UI
After StackState has been deployed, you can check if all pods are up and running:
1
kubectl get pods --namespace stackstate
Copied!
When all pods are up, you can enable a port-forward:
1
kubectl port-forward service/stackstate-router 8080:8080 --namespace stackstate
Copied!
StackState will now be available in your browser at https://localhost:8080. Log in with the username admin and the default password provided in the values.yaml file.
Next steps are
Configure ingress​
Install a StackPack or two
Give your co-workers access.
Manually create SecurityContextConfiguration objects
If you cannot use an administrator account to install StackState on OpenShift, ask your administrator to apply the below SecurityContextConfiguration objects.
HDFS
This is required for StackState to operate
1
allowHostDirVolumePlugin: false
2
allowHostIPC: false
3
allowHostNetwork: false
4
allowHostPID: false
5
allowHostPorts: false
6
allowPrivilegeEscalation: true
7
allowPrivilegedContainer: false
8
allowedCapabilities: null
9
apiVersion: security.openshift.io/v1
10
defaultAddCapabilities: null
11
fsGroup:
12
  type: RunAsAny
13
groups: []
14
kind: SecurityContextConstraints
15
metadata:
16
  name: stackstate-hdfs-scc
17
priority: 10
18
readOnlyRootFilesystem: false
19
requiredDropCapabilities:
20
- MKNOD
21
runAsUser:
22
  type: RunAsAny
23
seLinuxContext:
24
  type: MustRunAs
25
supplementalGroups:
26
  type: RunAsAny
27
users: []
28
volumes:
29
- configMap
30
- downwardAPI
31
- emptyDir
32
- persistentVolumeClaim
33
- projected
34
- secret
Copied!
Save this file as hdfs-scc.yaml and apply it as an administrator of the OpenShift cluster using the following command:
1
oc apply -f hdfs-scc.yaml
Copied!
After this file is applied, execute the following command as administrator to grant the service account access to this SecurityContextConfiguration object:
1
> oc adm policy add-scc-to-user stackstate-hdfs-scc system:serviceaccount:stackstate:stackstate-hbase-hdfs
Copied!
Cluster Agent
If you want to monitor the OpenShift cluster using the OpenShift StackPack and Cluster Agent, the below SecurityContextConfiguration needs to be applied:
1
allowHostDirVolumePlugin: true
2
allowHostIPC: true
3
allowHostNetwork: true
4
allowHostPID: true
5
allowHostPorts: true
6
allowPrivilegeEscalation: true
7
allowPrivilegedContainer: true
8
allowedCapabilities: []
9
allowedUnsafeSysctls:
10
- '*'
11
apiVersion: security.openshift.io/v1
12
defaultAddCapabilities: null
13
fsGroup:
14
  type: MustRunAs
15
groups: []
16
kind: SecurityContextConstraints
17
metadata:
18
  name: stackstate-agent-scc
19
priority: null
20
readOnlyRootFilesystem: false
21
requiredDropCapabilities: null
22
runAsUser:
23
  type: MustRunAsRange
24
seLinuxContext:
25
  type: RunAsAny
26
  seLinuxOptions:
27
    user: "system_u"
28
    role: "system_r"
29
    type: "spc_t"
30
    level: "s0"
31
seccompProfiles: []
32
supplementalGroups:
33
  type: RunAsAny
34
users:
35
volumes:
36
  - configMap
37
  - downwardAPI
38
  - emptyDir
39
  - hostPath
40
  - secret
Copied!
Save this file as agent-scc.yaml and apply it as an administrator of the OpenShift cluster using the following command:
1
oc apply -f agent-scc.yaml
Copied!
After this file is applied, execute the following command as administrator to grant the service account access to this SecurityContextConfiguration object:
1
> oc adm policy add-scc-to-user stackstate-agent-scc system:serviceaccount:stackstate:stackstate-cluster-agent-agent
Copied!
See also
For other configuration and management options, please refer to the Kubernetes documentation:
​Manage a StackState Kubernetes installation​