$ git clone git@github.com:<your_username>/layered-zero-trust.gitDeploying the Layered Zero Trust pattern
Follow these instructions to configure and deploy the Layered Zero Trust pattern.
An OpenShift Container Platform 4.19 or newer cluster with:
publicly signed certificates for Ingress.
default
StorageClasswhich provides dynamicPersistentVolumestorage.
To customize the default configuration, you must have a GitHub account and a token with repositories permissions, to read from and write to your forks.
Access to Podman (or Docker) for execution of the container images used by
pattern.shscript for provisioning.Fulfill the general prerequisites for Validated Patterns.
Depending on the characteristics of your cluster, you might need additional hardware resources for the Advanced Cluster Management (ACM) component. For a single-node cluster, you can start with 4 vCPUs, 16 GB of memory, and 120 GB of storage.
For more details about ACM sizing, see Sizing your cluster.
(Optional) The Helm binary, for instructions, see Installing Helm.
The Layered Zero Trust pattern’s default deployment assumes that none of its components have been installed previously. Verify that your OpenShift Container Platform environment does not already contain any of the listed components before proceeding. |
Repository setup
Follow these instructions for setting up the project repository:
Fork the layered-zero-trust repository from GitHub. You must fork the repository because your fork is updated as part of the GitOps and DevOps processes.
Clone your forked repository.
Go to your repository: Ensure you are in the root directory of your Git repository by using the following command:
$ cd </path_to_your_repository>Set up upstream remote repository:
$ git remote add -f upstream git@github.com/validatedpatterns/layered-zero-trust.gitVerify the setup of your remote repositories by running the following command:
$ git remote -vExample output:
origin git@github.com:<your_username>/layered-zero-trust.git (fetch) origin git@github.com:<your_username>/layered-zero-trust.git (push) upstream https://github.com/validatedpatterns/layered-zero-trust.git (fetch) upstream https://github.com/validatedpatterns/layered-zero-trust.git (push)Create a local copy of the secret values file that can safely include credentials. Run the following command:
$ cp values-secret.yaml.template ~/values-secret-layered-zero-trust.yamlTo prevent pushing secrets to your Git repository, the command places the
values-secret.yamlfile in your home directory. You derive this file from thevalues-secrets.yaml.templatefile located in the pattern’s top-level directory. When you create new patterns, add your secrets to thevalues-secret.yamlfile in your home directory.Create a new feature branch, for example
my-branchfrom themainbranch for your content:$ git checkout -b my-branch main(Optional) To customize the execution of the pattern, optionally change the Helm values files and then commit the changes.
$ git add <files_you_changed> $ git commit -m "Pattern customization"The following configuration files define the behavior and settings of the various components in the Layered Zero Trust pattern. You can customize these files to fit your specific deployment needs.
values-global.yaml: Global pattern configurationvalues-hub.yaml: Hub cluster specific configurationvalues-secret.yaml: Secret values (created from template)values-<environment>.yaml: Environment-specific overrides (AWS, Azure, GCP)
Push the changes from your local branch to your forked repository.
$ git push origin my-branch
Deploying the pattern by using the pattern.sh file
Deploy the Layered Zero Trust pattern by using the pattern.sh script.
Login to your OpenShift Container Platform cluster:
By using the
ocCLI:Get an API token by visiting
https://oauth-openshift.apps... /oauth/token/request Log in with the retrieved token:
$ oc login --token=<retrieved_token> --server=https://api.<your_cluster>.<domain>:6443
By using KUBECONFIG:
$ export KUBECONFIG=~/<path_to_kubeconfig>
Run the pattern deployment script:
$ ./pattern.sh make install
Verify the deployment
The Layered Zero-Trust pattern provisions every component and manages them through OpenShift Container Platform GitOps. After you deploy the pattern, verify that all components are running correctly.
The Layered Zero-Trust pattern installs the following two OpenShift Container Platform GitOps instances on your Hub cluster. You can view these instances in the OpenShift Container Platform web console by using the Application Selector (the icon with nine small squares) in the top navigation bar.
Cluster Argo CD: Deploys an App-of-Apps application named
layered-zero-trust-hub. This application installs the pattern’s components.Hub Argo CD: Manages Cluster Argo CD instance and the individual components that belong to the pattern on the hub OpenShift Container Platform instance.
If every Argo CD application reports a Healthy status, the pattern has been deployed successfully.
