Validated Patterns

Deploying the Layered Zero Trust pattern

Follow these instructions to configure and deploy the Layered Zero Trust pattern.

Prerequisites
  • An OpenShift Container Platform cluster with publicly signed certificates for Ingress

  • A GitHub account and a token for it with repositories permissions, to read from and write to your forks.

  • Access to Podman (or Docker) for execution of the container images used by pattern.sh script for provisioning.

  • Useful additions:

Repository setup

Follow these instructions for setting up the project repository:

  1. Fork the layered-zero-trust repository from GitHub. You must fork the repository because your fork is updated as part of the GitOps and DevOps processes.

  2. Clone your forked repository.

    $ git clone git@github.com:<your_username>/layered-zero-trust.git
  3. Go to your repository: Ensure you are in the root directory of your Git repository by using the following command:

    $ cd </path_to_your_repository>
  4. Set up upstream remote repository:

    $ git remote add -f upstream git@github.com/validatedpatterns/layered-zero-trust.git
  5. Verify the setup of your remote repositories by running the following command:

    $ git remote -v

    Example output:

    origin  git@github.com:<your_username>/layered-zero-trust.git (fetch)
    origin  git@github.com:<your_username>/layered-zero-trust.git (push)
    upstream    https://github.com/validatedpatterns/layered-zero-trust.git (fetch)
    upstream    https://github.com/validatedpatterns/layered-zero-trust.git (push)
  6. Create a local copy of the secret values file that can safely include credentials. Run the following command:

    $ cp values-secret.yaml.template ~/values-secret-layered-zero-trust.yaml

    To prevent pushing secrets to your Git repository, the command places the values-secret.yaml file in your home directory. You derive this file from the values-secrets.yaml.template file located in the pattern’s top-level directory. When you create new patterns, add your secrets to the values-secret.yaml file in your home directory.

  7. Create a new feature branch, for example my-branch from the main branch for your content:

    $ git checkout -b my-branch main
  8. (Optional) To customize the execution of the pattern, optionally change the Helm values files and then commit the changes.

    $ git add <files_you_changed>
    $ git commit -m "Pattern customization"

    The following configuration files define the behavior and settings of the various components in the Layered Zero Trust pattern. You can customize these files to fit your specific deployment needs.

    • values-global.yaml: Global pattern configuration

    • values-hub.yaml: Hub cluster specific configuration

    • values-secret.yaml: Secret values (created from template)

    • values-<environment>.yaml: Environment-specific overrides (AWS, Azure, GCP)

  9. Push the changes from your local branch to your forked repository.

    $ git push origin my-branch

Deploying the pattern by using the pattern.sh file

Deploy the Layered Zero Trust pattern by using the pattern.sh script.

  1. Login to your OpenShift Container Platform cluster:

    1. By using the oc CLI:

      • Get an API token by visiting https://oauth-openshift.apps../oauth/token/request.

      • Log in with the retrieved token:

        $ oc login --token=<retrieved_token> --server=https://api.<your_cluster>.<domain>:6443
    2. By using KUBECONFIG:

      $ export KUBECONFIG=~/<path_to_kubeconfig>
  2. Run the pattern deployment script:

    $ ./pattern.sh make install

Verify the deployment

You can use the OpenShift Container Platform console and ArgoCD applications to verify the deployment.

  1. In the OpenShift Container Platform web console, navigate to the OperatorsInstalled Operators page.

  2. Check that Red Hat OpenShift GitOps Operator is installed in the openshift-operators namespace and its status is Succeeded.

  3. Use the Application Launcher within the OpenShift Container Platform console to confirm that all applications have synchronized successfully to both Hub and Cluster Argo CD instances.