How to apply changes to the OpenShift Operator environment
Air-Gapped (Offline) environment
Changes in the installation.yaml can be applied by running the install.sh script or the upgrade.sh script in an OpenShift Offline environment. Note that re-running the install.sh script will delete any database information that would have been stored previously.
Online environment
When working in the OpenShift Console, changes in the Operator YAML will automatically be applied as new Pods are brought online reflecting the changes.
Required fields in installation.yaml
|
Variable Name
|
Key Value
|
Explanation of the Variable and Key Values |
server.host
|
String |
The server.host value needs to start with http:// or https://. The value can be an IP Address or a FQDN. This value needs to match the URL that Developers will use in a browser to access this server. |
server.org_name
|
String |
Used as an identifier for the Organization using vFunction |
server.admin.email
|
String |
Accepted characters include A-Z a-z 0-9 . _ % + - @ |
server.admin.name
|
String |
Used an an identifier for the logged in user in the vFunction Server UI |
server.admin.password
|
String |
Used for the Admin as the password for first logging into the Server UI. The Admin can then change the password from the Server UI if desired. Minimum requirements: 8 characters, lower & uppercase letter, number and a special character ! @ # $ % ^ & |
server.upgrade
|
String |
Three potential strings can be used for this field:
-
Daily: The operator will check for a new version every day at 3 AM and will install it automatically
-
Always: The operator will check for a new version every 10 minutes and will install it automatically
-
Never: Do not upgrade automatically (default)
|
measurement.auto_scaling
|
String |
Two potential strings can be used for this field:
-
Yes: Indicates that the measurement services auto scaling is active
-
No: Indicates that the measurement services auto scaling is not active (default)
|
measurement.min_num_of_services
|
Integer |
The default value is 1. If measurements.auto_scaling is "No", this will be the number of measurements service pods
|
measurement.max_num_of_services
|
Integer |
The default value is 10. This value is only relevant if measurements.auto_scaling is "Yes"
|
Sample installation.yaml with required fields
server:
host: "http://my.domain.com"
org_name: "MyCompany"
admin:
email: "admin@mycompany.com"
name: "Admin"
password: "Password1!"
upgrade: "Never"
measurements:
auto_scaling: "No"
min_number_of_services: "2"
max_number_of_services: "10"
max_pod_memory_capacity: "8G"
S3:
bucket: ""
key: ""
secret: ""
region: ""
smtp:
password: ""
url: ""
identity: ""
user: ""
authentication:
authority: ""
client_id: ""
client_secret: ""
jwks_url: ""
issuer: ""
ca_root_crt: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
tls:
use_letsencrypt: "No"
crt: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
key: |
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
nginx:
force_http: "No"
ipv6_disabled: "No"
service_type: ""
route:
use_route: "Yes"
tls_termination: "edge"
use_tls_certificate: "No"
mysql:
external_mysql_ip: ""
external_mysql_user: ""
external_mysql_password: ""
max_pod_memory_capacity: "2G"
storage:
storage_class: ""
mysql_persistent_volume: ""
storage_persistent_volume: ""
lets_encrypt_persistent_volume: ""
backup:
mysql:
S3:
bucket: ""
key: ""
secret: ""
region: ""
security:
image_pull_policy: ""
Optional fields in installation.yaml
authentication
| Installation.yaml Configuration |
Details |
authentication:
authority: "https://accounts.google.com"
client_id: "clientID-xyz"
client_secret: "clientSecret-xyz"
jwks_url: "https://www.googleapis.com/oauth2/v3/certs"
issuer: "https://accounts.google.com"
ca_root_crt: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
|
- By default, a vFunction Server allows users to authenticate with a built-in OAuth username and password workflow
- The authentication subkey is used to change the authentication workflow from this built-in OAuth username and password to integrate with an OpenID Connect identity provider
|
backup
| Installation.yaml Configuration |
Details |
backup:
mysql:
S3:
bucket: "awsBucket"
key: "awsKey"
secret:"awsSecret"
region: "awsRegion"
|
- The MySQL DB Persistent Volume can be backed up to an AWS S3 bucket if desired
|
mysql
| Installation.yaml Configuration |
Details |
mysql:
external_mysql_ip: "ipAddress"
external_mysql_user: "username"
external_mysql_password: "password"
|
- Used if the MySQL database is hosted outside the vFunction OpenShift Operator Namespace
|
mysql.max_pod_memory_capacity
| Installation.yaml Configuration |
Details |
mysql:
max_pod_memory_capacity: "2G"
|
- Used if the maximum amount of memory required by the MySQL Pod needs to be increased if, for example, the database grows large and the Daily Backup process requires additional resources.
|
nginx
| Installation.yaml Configuration |
Details |
nginx:
force_http: "Yes"
ipv6_disabled: "No"
service_type: ""
|
-
The
force_http key can be used if the SSL certificate used in the environment is not going to be added to the vFunction Nginx Pod. With force_http set to Yes, TLS will be terminated on the route. And, the vFunction Nginx Pod will listen to http traffic on Port 80
-
The
ipv6_disabled key will disable the vFunction Nginx pod from listening to and from sending traffic to other Pods over IPv6
|
route
| Installation.yaml Configuration |
Details |
route:
use_route: "Yes"
tls_termination: "passthrough"
use_tls_certificate: "No"
|
-
The route.use_route key takes values of "Yes" or "No".
"Yes" is set as the default value. Changing the value to "No" should be used to send traffic right to the internal vFunction-Nginx Pod and to not create a Route Object.
-
The route.tls_termination key takes values of "edge", "passthrough" or "reencrypt".
route.tls_termination: "edge" is set as the default value. With edge set, TLS traffic will be terminated on the Route. The Route should have its own SSL certificate that can terminate TLS, e.g. openshift.mycompany.com. Traffic will be sent from the Route to the vfunction-nginx Pod on HTTP and the vfunction-nginx Pod will listen on Port 80.
With route.tls_termination: "passthrough" set as the value, the OpenShift Cluster will ignore the TLS termination and the termination of TLS will be done on the vfunction-nginx Pod. A valid SSL certificate is needed in the tls.crt along with the Key in tls.key.
With route.tls_termination: "reencrypt" set as the value, traffic will go through the Route. TLS will be terminated and validated by the Route. Traffic will then be re-encrypted and sent to the vfunction-nginx Pod over TLS. A valid SSL certificate is needed in the tls.crt along with the Key in tls.key.
-
The
route.use_tls_certificate key takes values of "Yes" or "No".
|
security.image_pull_policy
server.custom_docker_registry
| Installation.yaml Configuration |
Details |
server:
custom_docker_registry: privateRegistry
|
- Used with the Offline OpenShift Installation when the Container Images cannot be downloaded from RedHat Registry and must be downloaded from a Private Docker Registry instead
- Instead of manually populating this value in the installation.yaml, this value should be populated as a Prerequisite to the installation while running the offline/init.sh script
|
server.custom_image_pull_secret
| Installation.yaml Configuration |
Details |
server:
custom_image_pull_secret: imagePullSecretValue
|
- Used with the Offline OpenShift Installation when the Container Images cannot be downloaded from RedHat Registry and must be downloaded from a Private Docker Registry instead
- The Image Pull Secret allows for the Private Docker Registry to be accessed to pull the Container Images for the OpenShift Operator installation
- Instead of manually populating this value in the installation.yaml, this value should be populated as a Prerequisite to the installation while running the offline/init.sh script
|
server.offline
| Installation.yaml Configuration |
Details |
server:
offline: "Yes"
|
- This value is pre-populated to "Yes" in the Offline Openshift Installation TGZ to indicate that the installation will be performed with no Internet access
|
smtp
| Installation.yaml Configuration |
Details |
smtp:
user: notifications@mycompany.com
password: my$uperS3cr3t
identity:
url: smtp://smtp.gmail.com:587
|
- The vFunction Server can send notifications about upgrades, about Architectural Observability Events and about user onboarding
|
storage
tls