{"id":3082,"date":"2022-08-29T09:16:41","date_gmt":"2022-08-29T07:16:41","guid":{"rendered":"https:\/\/nine30.info\/?p=3082"},"modified":"2022-08-29T09:16:41","modified_gmt":"2022-08-29T07:16:41","slug":"integrating-vrealize-operations-with-openshift-container-platform","status":"publish","type":"post","link":"https:\/\/nine30.nxt70.com\/index.php\/2022\/08\/29\/integrating-vrealize-operations-with-openshift-container-platform\/","title":{"rendered":"Integrating vRealize Operations with OpenShift Container Platform"},"content":{"rendered":"\n<p>VMware provides a vRealize Operation (vROps) Management Pack for Kubernetes that supports Prometheus, documentation is accessible <a href=\"https:\/\/docs.vmware.com\/en\/VMware-vRealize-Operations-Management-Pack-for-Kubernetes\/1.7\/management-pack-for-kubernetes\/GUID-BD6B5510-4A16-412D-B5AD-43F74C300C91.html\">here<\/a>. As per the Prometheus <a href=\"https:\/\/prometheus.io\/docs\/guides\/basic-auth\/\">documentation<\/a>, currently only basic auth is supported. Consequently, this authentication method has been certified in the Management Pack. However, OpenShift Container Platform (OCP) comes with an internal Prometheus instance that only supports token-based authentication. In this post I am sharing how to enable the Management Pack to integrate with the OCP internal Prometheus instance. The solution is pretty simple, we use a reverse proxy (NGINX in my case, but any reverse proxy would do the job) between vROps and OCP internal Prometheus. The reverse proxy is needed to perform token-based authentication on behalf of the Management Pack.  <\/p>\n\n\n\n<p>This solution is validated against the following product versions:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>vRealize Operations 8.6<\/li><li>Management Pack for Kubernetes 1.7<\/li><li>OpenShift Container Platform 4.7<\/li><\/ul>\n\n\n\n<p>It is my understanding that the same approach would be supported for the following versions:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>vRealize Operations 8.5 and above<\/li><li>Management Pack for Kubernetes 1.6.1 and above<\/li><li>OpenShift Container Platform 4.7 and above<\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Requirements<\/h2>\n\n\n\n<ul class=\"is-style-default wp-block-list\"><li>Create a Service Account in each OpenShift Container Platform instance as per <a href=\"https:\/\/docs.openshift.com\/container-platform\/4.7\/authentication\/using-service-accounts-in-applications.html\">doc<\/a>. The Service Account needs the following grants: <code>cluster-monitor-view<\/code> and <code>cluster-reader<\/code><\/li><li>Deploy a NGINX server (in my case running on a Linux VM, but nothing stops you from having it deployed on OCP)<\/li><li>Configure the NGINX (<code>nginx.conf<\/code> file) with a server context for each OCP cluster instance to be monitored<\/li><li>NGINX needs to be configured as reverse proxy for the \/ location as currently per my understanding other locations are not supported in the Management Pack<\/li><\/ul>\n\n\n\n<p>You can find a lot of examples how to configure NGNIX, <a rel=\"noreferrer noopener\" href=\"https:\/\/www.nginx.com\/resources\/wiki\/start\/topics\/examples\/full\/\" target=\"_blank\">this<\/a> is the official NGINX documenation. Here after I am reporting an example of specific NGINX server context configuration in the <code>nginx.conf<\/code> file that we need in order to enable our integrations.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>server {\n\tlisten 8081;\n\tlocation \/ {\n\t\tset $token \u201c&lt;your-ocp-instance-service-account-token&gt;\u201d;\n\t\tproxy_set_header Authorization \u201cBearer $token\u201d;\n\t\tproxy_pass &lt;your-ocp-prometheus-instance-url&gt;;\n       }\n}\n<\/code><\/pre>\n\n\n\n<p>A server context as reported above must be created for each OCP instance to be managed with vROps, please make sure to use different listen port for different server contexts.<\/p>\n\n\n\n<p>Use the following instructions to retrieve both the Service Account token and the Prometheus URL for each OCP instance.<\/p>\n\n\n\n<p>Login in the OCP instance using CLI:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>$ oc login -u &lt;your-username&gt; -p &lt;your-password&gt; &lt;ocp-instance-master-url&gt;<\/code><\/pre>\n\n\n\n<p>Get the Service Account token:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>$ oc sa get-token &lt;your-sa-name&gt; -n &lt;your-sa-namespace&gt;<\/code><\/pre>\n\n\n\n<p>Get the Prometheus URL:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>$ oc get route -n &lt;youe-prometheus-namespace&gt; &lt;Prometheus-route-name&gt; -o jsonpath='{.status.ingress&#91;0].host}')<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Configure the Management Pack<\/h2>\n\n\n\n<p>In the vRealize Operations console, configure an Account for the MP for Kubernetes for each OCP instance as in the picture below.<\/p>\n\n\n\n<figure class=\"wp-block-gallery has-nested-images columns-default is-cropped wp-block-gallery-1 is-layout-flex wp-block-gallery-is-layout-flex\">\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" data-id=\"3086\" src=\"https:\/\/nine30.info\/wp-content\/uploads\/2022\/08\/01.account-1024x497.jpg\" alt=\"\" class=\"wp-image-3086\"\/><\/figure>\n<\/figure>\n\n\n\n<p>For each Account create a Credential as reported in the picture below. Please note that here the Prometheus Server parameter has to be set with your NGNX FQDN followed by the listen port defined in the server context (in the <code>nginx.config<\/code> file) for the specific OCP instance to be monitored. Use the following standard syntaxt: <code>&lt;your-nginx-fqdn&gt;:&lt;listen-port-in-nginx-config&gt;\/<\/code><\/p>\n\n\n\n<figure class=\"wp-block-gallery has-nested-images columns-default is-cropped wp-block-gallery-2 is-layout-flex wp-block-gallery-is-layout-flex\">\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" data-id=\"3093\" src=\"https:\/\/nine30.info\/wp-content\/uploads\/2022\/08\/02.Credentials-2-1024x500.png\" alt=\"\" class=\"wp-image-3093\"\/><\/figure>\n<\/figure>\n\n\n\n<p>Once you have the Management Pack configured you should see data start flowing into vROPs.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Integrate vROps with OpenShift internally shipped Prometheus. <\/p>\n","protected":false},"author":1,"featured_media":3095,"comment_status":"open","ping_status":"open","sticky":false,"template":"templates\/template-cover.php","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[4],"tags":[93,97,99,115,121,178,185,189],"class_list":["post-3082","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-tech","tag-integration","tag-kubernetes","tag-linux","tag-nginx","tag-openshift","tag-vmware","tag-vrealize","tag-vrops","entry"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/nine30.nxt70.com\/index.php\/wp-json\/wp\/v2\/posts\/3082","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nine30.nxt70.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nine30.nxt70.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nine30.nxt70.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/nine30.nxt70.com\/index.php\/wp-json\/wp\/v2\/comments?post=3082"}],"version-history":[{"count":0,"href":"https:\/\/nine30.nxt70.com\/index.php\/wp-json\/wp\/v2\/posts\/3082\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/nine30.nxt70.com\/index.php\/wp-json\/"}],"wp:attachment":[{"href":"https:\/\/nine30.nxt70.com\/index.php\/wp-json\/wp\/v2\/media?parent=3082"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nine30.nxt70.com\/index.php\/wp-json\/wp\/v2\/categories?post=3082"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nine30.nxt70.com\/index.php\/wp-json\/wp\/v2\/tags?post=3082"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}