Installing Red Hat Developer Hub on Google Kubernetes Engine (GKE)
Running Red Hat Developer Hub on Google Kubernetes Engine (GKE) by using either the Operator or Helm chart
Abstract
- 1. Installing Developer Hub on Google Kubernetes Engine (GKE) by using the Operator
- 1.1. Installing the Developer Hub Operator on Google Kubernetes Engine (GKE) by using the OLM framework
- 1.2. Provisioning your custom Red Hat Developer Hub configuration
- 1.3. Provision your Red Hat Ecosystem pull secret to your Red Hat Developer Hub instance namespace
- 1.4. Using the Red Hat Developer Hub Operator to run Developer Hub with your custom configuration
- 1.5. Exposing your operator-based Red Hat Developer Hub instance on Google Kubernetes Engine (GKE)
- 2. Installing Developer Hub on GKE with the Helm chart
Red Hat Developer Hub (RHDH) is an enterprise-grade platform for building developer portals. Administrative users can configure roles, permissions, and other settings to enable other authorized users to deploy a RHDH instance on Google Kubernetes Engine (GKE) using either the Operator or Helm chart.
1. Installing Developer Hub on Google Kubernetes Engine (GKE) by using the Operator
To benefit from over-the-air updates and catalogs provided by Operator-based applications distributed with the Operator Lifecycle Manager (OLM) framework, consider installing Red Hat Developer Hub by using the Red Hat Developer Hub Operator distributed in the Red Hat Ecosystem.
On GKE, the most notable differences over an OpenShift-based installation are:
- The OLM framework and the Red Hat Ecosystem are not built-in.
- The Red Hat Ecosystem pull-secret is not managed globally.
- To expose the application, Ingresses replace OpenShift Routes.
For clarity, the content is broken down in sections highlighting these platform-specific additional steps.
1.1. Installing the Developer Hub Operator on Google Kubernetes Engine (GKE) by using the OLM framework
The Red Hat Ecosystem, based on the Operator Lifecycle Manager (OLM) framework, contains a distribution of the Red Hat Developer Hub Operator, aimed at managing your Red Hat Developer Hub instance lifecycle.
However, on Google Kubernetes Engine (GKE):
- The Operator Lifecycle Manager (OLM) framework and the Red Hat Ecosystem are not built-in.
- The Red Hat Ecosystem pull-secret is not managed globally.
Therefore, install the OLM framework, the Red Hat Ecosystem, and provision your Red Hat Ecosystem pull secret to install Developer Hub Operator.
Prerequisites
-
You have installed the
kubectl
CLI on your local environment. - Your system meets the sizing requirements for Red Hat Developer Hub.
- You have installed the Operator Lifecycle Manager (OLM).
Your credentials to the Red Hat Container Registry:
- <redhat_user_name>
- <redhat_password>
- <email>
- You have logged in to your Google account and created a GKE Autopilot or GKE Standard cluster.
Procedure
Connect to your GKE cluster:
$ gcloud container clusters get-credentials <cluster-name> --location=<cluster-location>
- <cluster-name>
- Enter your GKE cluster name.
- <cluster-location>
- Enter your GKE cluster location.
Create the
rhdh-operator
namespace to contain the Red Hat Developer Hub Operator:$ kubectl create namespace rhdh-operator
Create a pull secret using your Red Hat credentials to pull the container images from the protected Red Hat Ecosystem:
$ kubectl -n rhdh-operator create secret docker-registry rhdh-pull-secret \ --docker-server=registry.redhat.io \ --docker-username=<redhat_user_name> \ --docker-password=<redhat_password> \ --docker-email=<email>
Create a catalog source that contains the Red Hat Ecosystem Operators:
$ cat <<EOF | kubectl -n rhdh-operator apply -f - apiVersion: operators.coreos.com/v1alpha1 kind: CatalogSource metadata: name: redhat-catalog spec: sourceType: grpc image: registry.redhat.io/redhat/redhat-operator-index:v4.18 secrets: - "rhdh-pull-secret" displayName: Red Hat Operators EOF
Create an operator group to manage your operator subscriptions:
$ cat <<EOF | kubectl apply -n rhdh-operator -f - apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: name: rhdh-operator-group EOF
Create a subscription to install the Red Hat Developer Hub Operator:
$ cat <<EOF | kubectl apply -n rhdh-operator -f - apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: name: rhdh namespace: rhdh-operator spec: channel: fast installPlanApproval: Automatic name: rhdh source: redhat-catalog sourceNamespace: rhdh-operator startingCSV: rhdh-operator.v1.7.0 EOF
To wait until the Operator deployment finishes to be able to run the next step, run:
until kubectl -n rhdh-operator get deployment rhdh-operator &>/dev/null; do echo -n . sleep 3 done echo "RHDH Operator Deployment created"
Include your pull secret name in the Operator deployment manifest, to avoid
ImagePullBackOff
errors:$ kubectl -n rhdh-operator patch deployment \ rhdh-operator --patch '{"spec":{"template":{"spec":{"imagePullSecrets":[{"name":"rhdh-pull-secret"}]}}}}' \ --type=merge
Verification
Verify the deployment name:
$ kubectl get deployment -n rhdh-operator
1.2. Provisioning your custom Red Hat Developer Hub configuration
To configure Red Hat Developer Hub, provision your custom Red Hat Developer Hub config maps and secrets to Google Kubernetes Engine (GKE) before running Red Hat Developer Hub.
On Red Hat OpenShift Container Platform, you can skip this step to run Developer Hub with the default config map and secret. Your changes on this configuration might get reverted on Developer Hub restart.
Prerequisites
- By using the Kubernetes CLI ('kubectl'), you have access, with developer permissions, to the Kubernetes cluster aimed at containing your Developer Hub instance.
Procedure
Author your custom
<my_product_secrets>.txt
file to provision your secrets as environment variables values in a Kubernetes secret, rather than in clear text in your configuration files. It contains one secret per line inKEY=value
form.Author your custom
app-config.yaml
file. This is the main Developer Hub configuration file. You need a customapp-config.yaml
file to avoid the Developer Hub installer to revert user edits during upgrades. When your customapp-config.yaml
file is empty, Developer Hub is using default values.- To prepare a deployment with the Red Hat Developer Hub Operator on GKE, you can start with an empty file.
To prepare a deployment with the Red Hat Developer Hub Helm chart, or on Kubernetes, enter the Developer Hub base URL in the relevant fields in your
app-config.yaml
file to ensure proper functionality of Developer Hub. The base URL is what a Developer Hub user sees in their browser when accessing Developer Hub. The relevant fields arebaseUrl
in theapp
andbackend
sections, andorigin
in thebackend.cors
subsection:Example 1. Configuring the
baseUrl
inapp-config.yaml
app: title: Red Hat Developer Hub baseUrl: https://<my_developer_hub_domain> backend: auth: externalAccess: - type: legacy options: subject: legacy-default-config secret: "${BACKEND_SECRET}" baseUrl: https://<my_developer_hub_domain> cors: origin: https://<my_developer_hub_domain>
Optionally, enter your configuration such as:
Provision your custom configuration files to your GKE cluster.
Create the <my-rhdh-project> {namespace} aimed at containing your Developer Hub instance.
$ oc create namespace my-rhdh-project
Provision your
app-config.yaml
file to themy-rhdh-app-config
config map in the <my-rhdh-project> project.$ oc create configmap my-rhdh-app-config --from-file=app-config.yaml --namespace=my-rhdh-project
Provision your
<my_product_secrets>.txt
file to the<my_product_secrets>
secret in the <my-rhdh-project> project.$ oc create secret generic
<my_product_secrets>
--from-file=<my_product_secrets>.txt
--namespace=my-rhdh-project
Next steps
- To use an external PostgreSQL database, provision your PostgreSQL database secrets.
- To enable dynamic plugins, provision your dynamic plugins config map.
- To configure authorization by using external files, provision your RBAC policies config map.
1.3. Provision your Red Hat Ecosystem pull secret to your Red Hat Developer Hub instance namespace
On Google Kubernetes Engine (GKE), the Red Hat Ecosystem pull-secret is not managed globally. Therefore add your pull-secret in your Red Hat Developer Hub instance namespace.
Prerequisites
Your credentials to the Red Hat Container Registry:
- <redhat_user_name>
- <redhat_password>
- <email>
-
You created the
{my-rhdh-project}
namespace on GKE to host your Developer Hub instance.
Procedure
Create a pull secret using your Red Hat credentials to pull the container images from the protected Red Hat Ecosystem:
$ kubectl -n {my-rhdh-namespace} create secret docker-registry my-rhdh-pull-secret \ --docker-server=registry.redhat.io \ --docker-username=<redhat_user_name> \ --docker-password=<redhat_password> \ --docker-email=<email>
To enable pulling Developer Hub images from the Red Hat Ecosystem Catalog, add the image pull secret in the default service account within the namespace where the Developer Hub instance is being deployed:
$ kubectl patch serviceaccount default \ -p '{"imagePullSecrets": [{"name": "my-rhdh-pull-secret"}]}' \ -n {my-rhdh-namespace}
1.4. Using the Red Hat Developer Hub Operator to run Developer Hub with your custom configuration
To use the Developer Hub Operator to run Red Hat Developer Hub with your custom configuration, create your Backstage custom resource (CR) that:
- Mounts files provisioned in your custom config maps.
- Injects environment variables provisioned in your custom secrets.
Prerequisites
- By using the Kubernetes CLI ('kubectl'), you have access, with developer permissions, to the GKE cluster aimed at containing your Developer Hub instance.
- Your administrator has installed the Red Hat Developer Hub Operator in the cluster.
-
You have provisioned your custom config maps and secrets in your
<my-rhdh-project>
project.
Procedure
Author your Backstage CR in a
my-rhdh-custom-resource.yaml
file to use your custom config maps and secrets.Minimal
my-rhdh-custom-resource.yaml
custom resource example:apiVersion: rhdh.redhat.com/v1alpha3 kind: Backstage metadata: name: my-rhdh-custom-resource spec: application: appConfig: mountPath: /opt/app-root/src configMaps: - name: my-rhdh-app-config extraEnvs: secrets: - name: <my_product_secrets> extraFiles: mountPath: /opt/app-root/src route: enabled: true database: enableLocalDb: true
my-rhdh-custom-resource.yaml
custom resource example with dynamic plugins and RBAC policies config maps, and external PostgreSQL database secrets:apiVersion: rhdh.redhat.com/v1alpha3 kind: Backstage metadata: name: <my-rhdh-custom-resource> spec: application: appConfig: mountPath: /opt/app-root/src configMaps: - name: my-rhdh-app-config - name: rbac-policies dynamicPluginsConfigMapName: dynamic-plugins-rhdh extraEnvs: secrets: - name: <my_product_secrets> - name: my-rhdh-database-secrets extraFiles: mountPath: /opt/app-root/src secrets: - name: my-rhdh-database-certificates-secrets key: postgres-crt.pem, postgres-ca.pem, postgres-key.key route: enabled: true database: enableLocalDb: false
- Mandatory fields
- No fields are mandatory. You can create an empty Backstage CR and run Developer Hub with the default configuration.
- Optional fields
spec.application.appConfig.configMaps
- Enter your config map name list.
Mount files in the
my-rhdh-app-config
config map:spec: application: appConfig: mountPath: /opt/app-root/src configMaps: - name: my-rhdh-app-config
Mount files in the
my-rhdh-app-config
andrbac-policies
config maps:spec: application: appConfig: mountPath: /opt/app-root/src configMaps: - name: my-rhdh-app-config - name: rbac-policies
spec.application.extraEnvs.envs
Optionally, enter your additional environment variables that are not secrets, such as your proxy environment variables.
Inject your
HTTP_PROXY
,HTTPS_PROXY
andNO_PROXY
environment variables:spec: application: extraEnvs: envs: - name: HTTP_PROXY value: 'http://10.10.10.105:3128' - name: HTTPS_PROXY value: 'http://10.10.10.106:3128' - name: NO_PROXY value: 'localhost,example.org'
spec.application.extraEnvs.secrets
Enter your environment variables secret name list.
Inject the environment variables in your Red Hat Developer Hub secret:
spec: application: extraEnvs: secrets: - name: <my_product_secrets>
Inject the environment variables in the Red Hat Developer Hub and
my-rhdh-database-secrets
secrets:spec: application: extraEnvs: secrets: - name: <my_product_secrets> - name: my-rhdh-database-secrets
Note<my_product_secrets>
is your preferred Developer Hub secret name, specifying the identifier for your secret configuration within Developer Hub.spec.application.extraFiles.secrets
Enter your certificates files secret name and files list.
Mount the
postgres-crt.pem
,postgres-ca.pem
, andpostgres-key.key
files contained in themy-rhdh-database-certificates-secrets
secret:spec: application: extraFiles: mountPath: /opt/app-root/src secrets: - name: my-rhdh-database-certificates-secrets key: postgres-crt.pem, postgres-ca.pem, postgres-key.key
spec.database.enableLocalDb
Enable or disable the local PostgreSQL database.
Disable the local PostgreSQL database generation to use an external postgreSQL database:
spec: database: enableLocalDb: false
On a development environment, use the local PostgreSQL database:
spec: database: enableLocalDb: true
spec.deployment
- Optionally, enter your deployment configuration.
Apply your Backstage CR to start or update your Developer Hub instance:
$ oc apply --filename=my-rhdh-custom-resource.yaml --namespace=my-rhdh-project
1.5. Exposing your operator-based Red Hat Developer Hub instance on Google Kubernetes Engine (GKE)
On Google Kubernetes Engine (GKE), to expose your Red Hat Developer Hub instance, Kubernetes ingresses replace OpenShift Container Platform routes. The Red Hat Developer Hub operator does not create ingresses. Therefore, to access your Developer Hub instance via a domain name, create the required ingresses on GKE and point your domain name to it.
Prerequisites
- You have installed Red Hat Developer Hub by using the Red Hat Developer Hub Operator.
- You have configured a domain name for your Developer Hub instance.
- You have reserved a static external Premium IPv4 Global IP address that is not attached to any virtual machine (VM). For more information see Reserve a new static external IP address
You have configured the DNS records for your domain name to point to the IP address that has been reserved.
NoteYou need to create an
A
record with the value equal to the IP address. This process can take up to one hour to propagate.
Procedure
Create a Google-managed certificate manifest file, named
managed-certificate.yaml
:apiVersion: networking.gke.io/v1 kind: ManagedCertificate metadata: name: my-rhdh-certificate-name spec: domains: - <my_developer_hub_domain>
For more information about setting up a Google-managed certificate, see Setting up a Google-managed certificate.
Deploy the managed certificate:
$ kubectl -n my-rhdh-project apply -f managed-certificate.yaml
Create a frontend config manifest file, named
frontend-config.yaml
, to set a policy for redirecting to HTTPS.apiVersion: networking.gke.io/v1beta1 kind: FrontendConfig metadata: name: my-ingress_security_config spec: sslPolicy: gke-ingress-ssl-policy-https redirectToHttps: enabled: true
For more information about setting a policy to redirect to HTTPS, see HTTP to HTTPS redirects.
Deploy the frontend config:
$ kubectl -n my-rhdh-project apply -f frontend-config.yaml
Create an ingress manifest file, named
rhdh-ingress.yaml
, specifying your Developer Hub service name, and using your managed certificate and your frontend config:apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: my-rhdh-ingress annotations: kubernetes.io/ingress.class: "gce" kubernetes.io/ingress.global-static-ip-name: <ADDRESS_NAME> networking.gke.io/managed-certificates: my-rhdh-certificate-name networking.gke.io/v1beta1.FrontendConfig: my-ingress_security_config spec: ingressClassName: gce rules: - host: <my_developer_hub_domain> http: paths: - path: / pathType: Prefix backend: service: name: my-rhdh-custom-resource port: name: http-backend
Deploy the ingress:
$ kubectl -n my-rhdh-project apply -f rhdh-ingress.yaml
Verification
-
Wait for the
ManagedCertificate
to be provisioned. This process can take a couple of hours. -
Access RHDH with
https://<my_developer_hub_domain>
.
Additional information
For more information on setting up GKE using Ingress with TLS, see Secure GKE Ingress.
2. Installing Developer Hub on GKE with the Helm chart
When you install the Developer Hub Helm chart in Google Kubernetes Engine (GKE), it orchestrates the deployment of a Developer Hub instance, which provides a robust developer platform within the GKE ecosystem.
Prerequisites
-
You have subscribed to
registry.redhat.io
. For more information, see Red Hat Container Registry Authentication. -
You have installed
kubectl
. For more information, see Install kubetl. - You have installed the Google Cloud CLI. For more information, see Install the gcloud CLI.
- You have logged in to your Google account and created a GKE Autopilot or GKE Standard cluster.
- You have configured a domain name for your Developer Hub instance.
- You have reserved a static external Premium IPv4 Global IP address that is not attached to any VM. For more information see Reserve a new static external IP address
- You have configured the DNS records for your domain name to point to the IP address that has been reserved.
Make sure that your system meets the minimum sizing requirements. See Sizing requirements for Red Hat Developer Hub.
NoteYou need to create an
A
record with the value equal to the IP address. This process can take up to one hour to propagate.- You have installed Helm 3 or the latest. For more information, see Installing Helm.
Procedure
Go to your terminal and run the following command to add the Helm chart repository containing the Developer Hub chart to your local Helm registry:
helm repo add openshift-helm-charts https://charts.openshift.io/
Create a pull secret using the following command:
kubectl -n <your-namespace> create secret docker-registry rhdh-pull-secret \ 1 --docker-server=registry.redhat.io \ --docker-username=<user_name> \ 2 --docker-password=<password> \ 3 --docker-email=<email> 4
The created pull secret is used to pull the Developer Hub images from the Red Hat Ecosystem.
Set up a Google-managed certificate by creating a
ManagedCertificate
object that you must attach to the ingress.Example of attaching a
ManagedCertificate
object to the ingressapiVersion: networking.gke.io/v1 kind: ManagedCertificate metadata: name: <rhdh_certificate_name> spec: domains: - <rhdh_domain_name>
For more information about setting up a Google-managed certificate, see Setting up a Google-managed certificate.
Create a
FrontendConfig
object to set a policy for redirecting to HTTPS. You must attach this policy to the ingress.Example of attaching a
FrontendConfig
object to the ingressapiVersion: networking.gke.io/v1beta1 kind: FrontendConfig metadata: name: <ingress_security_config> spec: sslPolicy: gke-ingress-ssl-policy-https redirectToHttps: enabled: true
For more information about setting a policy to redirect to HTTPS, see HTTP to HTTPS redirects.
Create a file named
values.yaml
using the following template:Example
values.yaml
fileglobal: host: <rhdh_domain_name> route: enabled: false upstream: service: type: NodePort ingress: enabled: true annotations: kubernetes.io/ingress.class: gce kubernetes.io/ingress.global-static-ip-name: <ADDRESS_NAME> networking.gke.io/managed-certificates: <rhdh_certificate_name> networking.gke.io/v1beta1.FrontendConfig: <ingress_security_config> className: gce backstage: image: pullSecrets: - rhdh-pull-secret podSecurityContext: fsGroup: 2000 postgresql: image: pullSecrets: - rhdh-pull-secret primary: podSecurityContext: enabled: true fsGroup: 3000 volumePermissions: enabled: true
Run the following command in your terminal to deploy Developer Hub using the latest version of Helm Chart and using the
values.yaml
file:helm -n <your_namespace> install -f values.yaml <your_deploy_name> \ openshift-helm-charts/redhat-developer-hub \ --version 1.7.0
For the latest Helm Chart version, see this Helm Charts repository.
Verification
Confirm that the deployment is complete.
kubectl get deploy <your_deploy_name>-developer-hub -n <your_namespace>
Verify that the service and ingress were created.
kubectl get service -n <your_namespace> kubectl get ingress -n <your_namespace>
NoteWait for the
ManagedCertificate
to be provisioned. This process can take a couple of hours.-
Access RHDH with
https://<my_developer_hub_domain>
. To upgrade your deployment, use the following command:
helm -n <your_namespace> upgrade -f values.yaml <your_deploy_name> openshift-helm-charts/redhat-developer-hub --version <UPGRADE_CHART_VERSION>
To delete your deployment, use the following command:
helm -n <your_namespace> delete <your_deploy_name>