Installation, Deployment and Configuration
Getting CTE for Kubernetes deployment files
Obtain CTE for Kubernetes through the yaml files available in the cte-csi-deploy Git repository at:
git clone https://github.com/thalescpl-io/ciphertrust-transparent-encryption-kubernetes.git
Prerequisites
Installation Dependencies for Kubernetes Operator
CTE for Kubernetes v1.5.0 and subsequent versions install with the CTE for Kubernetes Operator by default. Therefore, you must install the Operator Lifecycle Manager (OLM) if you choose to use Kubernetes Operator. If OLM is not properly installed, the operator installation fails.
OLM is a framework for managing the lifecycle of Kubernetes Operators. It simplifies the process of installing, managing, and upgrading operators and their associated applications within a Kubernetes cluster.
When installing CTE for Kubernetes, it requires the following dependencies:
| Dependency | Deployment Method |
|---|---|
| kubectl | Helm / Kubernetes Operator |
| Operator LifeCycle Manager (OLM) | Kubernetes Operator |
Creating the Required Kubernetes Secret
For CTE for Kubernetes Operator v1.5.9, the Operator Controller Manager has a change that requires an additional step to be carried out by the cluster administrator before deployment. This prerequisite is mandatory.
There has been a change in how the Kubernetes Operator Controller Manager downloads images. The kube-rbac-proxy used by the operator-controller-manager pod performs RBAC authorizations with the Kubernetes API Server. The CTE for Kubernetes Operator previously pulled this image from gcr.io. However, this image was has been deprecated and will be removed from GCR. The CTE for Kubernetes Operator has shifted to pulling the image hosted by registry.redhat.io. While gcr.io is a public registry and does not require authentication for pulling images, registry.redhat.io requires authentication.
Due to this change, it is now a requirement to create a specific Kubernetes secret named rh-kube-proxy-secret. The cluster administrator must create this secret in the namespace in which they are deploying the operator. Without this secret, attempts to create new pods will result in errors due to the authentication requirement of registry.redhat.io.
OpenShift Environment
-
Use a login account created on redhat to create the secret using the following command:
oc create secret docker-registry rh-kube-proxy-secret --docker-username="<username on Redhat portal>" --docker-password="<Redhat portal password>" --docker-server="registry.redhat.io" --namespace="<namespace in which CTE-K8s Operator is to be deployed>"If you miss this step, you will encounter the following in an
ErrImagePull/ImagePullBackOffin the Events section of thecte-k8s-operator-controller-manager-XXXXXXXXX-YYYYYpod:Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal Pulling 18m (x3 over 19m) kubelet Pulling image "registry.redhat.io/openshift4/ose-kube-rbac-proxy-rhel9:v4.17.0-202503121206.p0.g7718265.assembly.stream.el9" Warning Failed 18m (x3 over 19m) kubelet Failed to pull image "registry.redhat.io/openshift4/ose-kube-rbac-proxy-rhel9:v4.17.0-202503121206.p0.g7718265.assembly.stream.el9": failed to pull and unpack image "registry.redhat.io/openshift4/ose-kubIf you run into this error, undeploy CTE-K8s Operator, create the secret as mentioned and then re-deploy the CTE-K8s Operator.e-rbac-proxy-rhel9:v4.17.0-202503121206.p0.g7718265.assembly.stream.el9": failed to resolve reference "registry.redhat.io/openshift4/ose-kube-rbac-proxy-rhel9:v4.17.0-202503121206.p0.g7718265.assembly.stream.el9": failed to authorize: failed to fetch anonymous token: unexpected status from GET request to https://registry.redhat.io/auth/realms/rhcc/protocol/redhat-docker-v2/auth?scope=repository%3Aopenshift4%2Fose-kube-rbac-proxy-rhel9%3Apull&service=docker-registry: 401 Unauthorized -
If you experience this error:
a. Create a secret,
rh-kube-proxy-secret, in the kube-system namespace in which the operator is being installed:kubectl create secret docker-registry rh-kube-proxy-secret --docker-username="<your userid on Redhat portal>" --docker-password=<your redhat portal password> --docker-server="registry.redhat.io" -n <namespace of operator deploy>b. Verify the secret has been created successfully:
kubectl get secret rh-kube-proxy-secret -n <namespace>c. Once the secret is created, delete the pod that is showing
ImagePullErr: kubectl delete pod -ncte-k8s-operator-controller-manager-c6997c9fd-lc9mq
This will cause the pod to restart, pick up the secret that you just created, and pull the image successfully.
Note
The previous steps do not have any effect on the CTE-K8s pods that have already been deployed by an earlier version of the Operator.
Standard Kubernetes Environment
- In a standard Kubernetes environment, create the secret using the following command:
kubectl create secret docker-registry rh-kube-proxy-secret \ --docker-server=registry.redhat.io \ --docker-username=<your_redhat_username> \ --docker-password=<your_redhat_password> \ --docker-email=<your_email> \ -n <your_namespace>
Installing the CTE for Kubernetes Operator
Warning
-
Do not uninstall CTE for Kubernetes and the operator from the CLI, if they were installed using the GUI.
-
Similarly, do not uninstall CTE for Kubernetes and the operator from the GUI, if it was installed using the CLI.
Note
You can install CTE for Kubernetes and the Operator only in the OpenShift-operators namespace. If you want to install in other namespaces, use the CLI option.
The CTE for Kubernetes Operator can be installed using one of two methods:
-
CLI
-
Cluster Console GUI
CLI Method Prerequisites
-
Install the Operator Lifecycle Manager (OLM) on the cluster. Refer to Installing OLM for instructions on how to install OLM on the cluster.
Note
The latest version of OpenShift is installed by default.
-
Install
OC(OpenShift CLI command for OpenShift cluster) on the cluster.Note
The user installing the Operator must have Cluster Admin permissions.
-
Download the Deploy Scripts.
-
Execute the
deploy.shscript from the deploy directory, type:./deploy.sh --operator --operator-ns=<namespace-in-which-to-deploy-the-operator> --cte-ns=<namespace-in-which-to-deploy-cte-4-k8s>Example
./deploy.sh --operator-ns=my-ns1 --cte-ns=my-ns2If either of the namespace options is not specified, the script sets
kube-systemas the default namespace for deployment.
Installing a specific image
-
Change to the CTE for Kubernetes directory, type:
cd ciphertrust-transparent-encryption-kubernetes -
Deploy the specific image:
./deploy.sh -t 1.6.0.31
Namespace Deployments
Ensure that the namespace passed to the deployment script exists before initiating deployment. This prevents the script from prompting for creation of namespace during deployment. For example, if the deployment script is invoked as:
./deploy.sh --operator --operator-ns=my-ns1 --cte-ns=my-ns2
where both namespaces my-ns1 and my-ns2, do not exist, the script would prompt with the following response:
Starting the cte-csi containers
NAMESPACE my-ns1 not found!!!!!!
Namespace my-ns1 not found. Do you want to create it now [N/y]
Once the namespace information is available, the script proceeds to create the objects required and installs the operator. After installing the operator, the script deploys ctek8soperator CRD. This deploys CTE for Kubernetes on the cluster in the namespace specified.
Using the Cluster Console Web GUI
The CTE for Kubernetes Operator is certified with Red Hat for the OpenShift platform. It is integrated with OperatorHub. The operator can be discovered on the OperatorHub page.
-
Open a browser and navigate to the Operators > OperatorHub link, in the left navigation panel on the console GUI. Type
CTEin the search field under All Items to find the CTE for Kubernetes Operator. -
Click on the tile to access the install option.
-
Ensure that all prerequisites are met before installing the operator.
-
Click Install to install the operator. Do not change the default values on the install page.
