Validated Patterns

Deploying the Layered Zero Trust pattern

Follow these instructions to configure and deploy the Layered Zero Trust pattern.

Prerequisites
  • An OpenShift Container Platform 4.19 or newer cluster with:

    1. publicly signed certificates for Ingress.

    2. default StorageClass which provides dynamic PersistentVolume storage.

  • To customize the default configuration, you must have a GitHub account and a token with repositories permissions, to read from and write to your forks.

  • Access to Podman (or Docker) for execution of the container images used by pattern.sh script for provisioning.

  • Fulfill the general prerequisites for Validated Patterns.

  • Depending on the characteristics of your cluster, you might need additional hardware resources for the Advanced Cluster Management (ACM) component. For a single-node cluster, you can start with 4 vCPUs, 16 GB of memory, and 120 GB of storage.

    For more details about ACM sizing, see Sizing your cluster.

  • (Optional) The Helm binary, for instructions, see Installing Helm.

The Layered Zero Trust pattern’s default deployment assumes that none of its components have been installed previously. Verify that your OpenShift Container Platform environment does not already contain any of the listed components before proceeding.

Repository setup

Follow these instructions for setting up the project repository:

  1. Fork the layered-zero-trust repository from GitHub. You must fork the repository because your fork is updated as part of the GitOps and DevOps processes.

  2. Clone your forked repository.

    $ git clone git@github.com:<your_username>/layered-zero-trust.git
  3. Go to your repository: Ensure you are in the root directory of your Git repository by using the following command:

    $ cd </path_to_your_repository>
  4. Set up upstream remote repository:

    $ git remote add -f upstream git@github.com/validatedpatterns/layered-zero-trust.git
  5. Verify the setup of your remote repositories by running the following command:

    $ git remote -v

    Example output:

    origin  git@github.com:<your_username>/layered-zero-trust.git (fetch)
    origin  git@github.com:<your_username>/layered-zero-trust.git (push)
    upstream    https://github.com/validatedpatterns/layered-zero-trust.git (fetch)
    upstream    https://github.com/validatedpatterns/layered-zero-trust.git (push)
  6. Create a local copy of the secret values file that can safely include credentials. Run the following command:

    $ cp values-secret.yaml.template ~/values-secret-layered-zero-trust.yaml

    To prevent pushing secrets to your Git repository, the command places the values-secret.yaml file in your home directory. You derive this file from the values-secrets.yaml.template file located in the pattern’s top-level directory. When you create new patterns, add your secrets to the values-secret.yaml file in your home directory.

  7. Create a new feature branch, for example my-branch from the main branch for your content:

    $ git checkout -b my-branch main
  8. (Optional) To customize the execution of the pattern, optionally change the Helm values files and then commit the changes.

    $ git add <files_you_changed>
    $ git commit -m "Pattern customization"

    The following configuration files define the behavior and settings of the various components in the Layered Zero Trust pattern. You can customize these files to fit your specific deployment needs.

    • values-global.yaml: Global pattern configuration

    • values-hub.yaml: Hub cluster specific configuration

    • values-secret.yaml: Secret values (created from template)

    • values-<environment>.yaml: Environment-specific overrides (AWS, Azure, GCP)

  9. Push the changes from your local branch to your forked repository.

    $ git push origin my-branch

Deploying the pattern by using the pattern.sh file

Deploy the Layered Zero Trust pattern by using the pattern.sh script.

  1. Login to your OpenShift Container Platform cluster:

    1. By using the oc CLI:

      • Get an API token by visiting https://oauth-openshift.apps../oauth/token/request.

      • Log in with the retrieved token:

        $ oc login --token=<retrieved_token> --server=https://api.<your_cluster>.<domain>:6443
    2. By using KUBECONFIG:

      $ export KUBECONFIG=~/<path_to_kubeconfig>
  2. Run the pattern deployment script:

    $ ./pattern.sh make install

Verify the deployment

The Layered Zero-Trust pattern provisions every component and manages them through OpenShift Container Platform GitOps. After you deploy the pattern, verify that all components are running correctly.

The Layered Zero-Trust pattern installs the following two OpenShift Container Platform GitOps instances on your Hub cluster. You can view these instances in the OpenShift Container Platform web console by using the Application Selector (the icon with nine small squares) in the top navigation bar.

  1. Cluster Argo CD: Deploys an App-of-Apps application named layered-zero-trust-hub. This application installs the pattern’s components.

  2. Hub Argo CD: Manages Cluster Argo CD instance and the individual components that belong to the pattern on the hub OpenShift Container Platform instance.

If every Argo CD application reports a Healthy status, the pattern has been deployed successfully.