IBM Cloud Docs
Setting up trusted profiles for the OpenShift Data Foundation add-on

Setting up trusted profiles for the OpenShift Data Foundation add-on

Virtual Private Cloud Classic clusters

You can use trusted profiles to limit the access that running pods in your cluster have to other resources in your account or cluster. For more information about trusted profiles, see Creating trusted profiles.

Enabling the OpenShift Data Foundation add-on

  1. Log in to your account. If applicable, target the appropriate resource group. Set the context for your cluster.

  2. Enable the add-on in your cluster. Review the Parameter Reference.

    Example command:

    ibmcloud oc cluster addon enable openshift-data-foundation -c <cluster-name> --version 4.X.X

  3. Verify that the add-on state is normal and the status is ready.

    ibmcloud oc cluster addon ls --cluster CLUSTER-ID

  4. Verify that the metrics agent pod is deployed and the status is Running.

    kubectl get pods -n kube-system | grep ibm-storage-metrics-agent

    Example output:

    ibm-storage-metrics-agent-644cd95b5b-rh2gd        2/2     Running   0          7h42m

Setting up trusted profiles

  1. Follow the steps to create a trusted profile. In the Conditions for the profile, be sure to specify the following access.

    • Allow access when Namespace equals kube-system
    • Satellite Service Roles - Satellite Link Administrator, Reader
    • Kubernetes Service Roles - Manager, Editor
    • Billing Service Roles - Reader, Operator

  2. After you create your trusted profile, copy the ID from the Trusted profiles page in the console.

  3. Decide if you want to use the Profile ID or an API key in the Kubernetes secret that the add-on uses. You can create the secret by using the ID or API key for the trusted profile. Save the following text and enter your credentials. You can follow the steps to create the secret manually or you can use the shell script to automatically create the secret in your cluster.

    Example credentials with pod identity:

    IBMCLOUD_AUTHTYPE=pod-identity
IBMCLOUD_PROFILEID=<TRUSTED-PROFILE-ID>

    Example credentials with an API key.

    IBMCLOUD_AUTHTYPE=iam
IBMCLOUD_APIKEY=<API-KEY>

  4. Encode the credentials to base64.

    echo -n "IBMCLOUD_AUTHTYPE=<IAM-OR-POD-IDENTITY>
IBMCLOUD_APIKEY=<API-KEY>" | base64

  5. Create a secret in your cluster that contains the credentials for the trusted profile. Save the following YAML to a file called ibm-cloud-credentials.yaml. In the ibm-credentials.env: field, enter the base64 encoded API key or the ID of trusted profile.

    apiVersion: v1
data:
  ibm-credentials.env: # Trusted profile ID
kind: Secret
metadata:
  name: ibm-cloud-credentials
  namespace: kube-system
type: Opaque

  6. Log in to your account. If applicable, target the appropriate resource group. Set the context for your cluster.

  7. Create the secret in your cluster.

    kubectl apply -f ibm-cloud-credentials.yaml

  8. Restart the agent pods.

    kubectl delete pod <ibm-storage-metrics-agent> -n kube-system>

Automatically creating a secret by using a Shell script

  1. Follow the steps to create a trusted profile. In the Conditions for the profile, be sure to specify the following access.

    • Allow access when Namespace equals kube-system
    • Satellite Service Roles - Satellite Link Administrator, Reader
    • Kubernetes Service Roles - Manager, Editor
    • Billing Service Roles - Reader, Operator

  2. Save the following script to a file called generate-secret.sh.

    IBMCLOUD_AUTHTYPE= 
SECRET= 


error() { 
    if [[ $? != 0 ]]; then 
        echo "$1"; exit 1 
    fi 
} 

#validate_arguments validates the arguments provided to the script 
validate_arguments() { 
    if [[ "$#" -eq 1 ]]; then 
    if [[ "$1" == "-h" ]] || [[ "$1" == "--help" ]]; then 
        usage; exit 1 
    fi 
    fi 

        #number of arguments provided to the script must be 2 
    if [[ "$#" -ne 2 ]]; then 
        echo "Invalid number of arguments provided" 
        usage; exit 1 
    fi 

    #1st argument must be 'iam' or 'pod-identity' 
    if [[ "$1" != "iam" ]] && [[ "$1" != "pod-identity" ]]; then 
        echo "Provide a valid auth-type" 
        usage; exit 1 
    fi 

    IBMCLOUD_AUTHTYPE=$1 
    SECRET=$2 
} 

#usage - prints the usage for execution of script 
usage() { 
    echo "USAGE: 
    bash generate-secret.sh <auth-type> <apikey/profile-id> 
    auth-type: auth-type should be either iam or pod-identity. Provide iam to use api 
key, pod-identity to use trusted profile" 
} 

#main 
main() { 

    validate_arguments "$@" 

    auth_type="IBMCLOUD_AUTHTYPE=$IBMCLOUD_AUTHTYPE" 

    secret= 

    if [[ "$IBMCLOUD_AUTHTYPE" == "iam" ]]; then 
        secret="IBMCLOUD_APIKEY=$SECRET" 
    else 
        secret="IBMCLOUD_PROFILEID=$SECRET" 
    fi 

    encodedValue=$(echo -e "$auth_type\n$secret" | base64) 
    #on certain os, base64 encoding introduces newline, removing the same here. 
    encodedValue=${encodedValue//$'\n'/} 

    #fetch the agent pod name 
    agentPodName=$(kubectl get pods -n kube-system | grep ibm-storage-metrics-agent | awk '{print $1}') 
    error "$(date +"%b %d %G %H:%M:%S"):  Unable to fetch ODF agent pod." 
    if [[ "$agentPodName" == "" ]]; then 
        echo "$(date +"%b %d %G %H:%M:%S"):  Error - ibm-storage-metrics-agent pod 
not found" 
        exit 1 
    fi 

    echo "apiVersion: v1 
data: 
ibm-credentials.env: $encodedValue 
kind: Secret 
metadata: 
name: ibm-cloud-credentials 
namespace: kube-system 
type: Opaque" > ibm-cloud-credentials.yaml 

    #create the k8s secret 
    kubectl apply -f ibm-cloud-credentials.yaml &> /dev/null 
    error "$(date +"%b %d %G %H:%M:%S"):  Error creating ibm-cloud-credentials 
secret." 
    echo "$(date +"%b %d %G %H:%M:%S"):  Created ibm-cloud-credentials secret" 

    #restart the ODF agent pod 
    echo "$(date +"%b %d %G %H:%M:%S"):  Restarting $agentPodName pod" 
    kubectl delete pod "$agentPodName" -n kube-system &> /dev/null 
    error "$(date +"%b %d %G %H:%M:%S"):  Error restarting $agentPodName pod in 
kube-system namespace." 

    agentPodStatus= 
    for i in {1..12} 
    do 
        sleep 5 
        agentPodStatus=$(kubectl get pods -n kube-system | grep ibm-storage-metrics-agent | awk '{print $3}') 
        if [[ "$agentPodStatus" == "Running" ]]; then 
            echo "$(date +"%b %d %G %H:%M:%S"):  $i: ODF billing agent is now using 
ibm-cloud-credentials secret" 
            rm ibm-cloud-credentials.yaml 
            error "Error deleting ibm-cloud-credentials.yaml." 
            exit 0 
        fi 
    done 

    error "$(date +"%b %d %G %H:%M:%S"):  Error - ibm-storage-metrics-agent is in 
$agentPodStatus state" 
} 

main "$@"

  3. Run the generate-secret.sh script and specify iam or pod-identity as the IBMCLOUD_AUTHTYPE and your PROFILE-ID or API-KEY.

    Example command to run generate-secret.sh by using pod-identity with your trusted profiled ID.

    sh ./generate-secret.sh pod-identity PROFILE-ID

    Example command to run generate-secret.sh by using iam with an API key.

    sh ./generate-secret.sh iam API-KEY

  4. Restart the agent pods.

    oc delete pod <ibm-storage-metrics-agent> -n kube-sysem

  5. Get the logs of the agent pod to verify the driver is using the correct credentials by looking for the secret type in the output. For example,"secret-used":"ibm-cloud-credentials","type":"pod-identity".

    oc logs ibm-storage-metrics-agent-xxx -c storage-secret-sidecar -n kube-system