Deploy OneAgent on OpenShift Container Platform

For full-stack monitoring of OpenShift clusters, you need to roll-out DESK OneAgent on each cluster node using OneAgent Operator.

Note:
OneAgent Operator v0.3+ requires OpenShift 3.11 or higher. Older versions of the OneAgent Operator work with OpenShift v3.9 or higher.

Prepare DESK tokens for OneAgent Operator

The OneAgent Operator requires two different tokens for interacting with DESK servers. These two tokens are made available to OneAgent Operator by means of a Kubernetes secret as explained at a later step.

Get an API token for the DESK API with the scope Access problem and event feed, metrics, and topology. This token is later referenced as API_TOKEN.
Get a Platform-as-a-Service token. This token is later referenced as PAAS_TOKEN.

Install OneAgent Operator

Manual Install Install via OperatorHub

Start by adding a new project as follows: $ oc adm new-project --node-selector="" desk

If you are installing the Operator on an OpenShift Container Platform 3.11 environment, in order to use the certified OneAgent Operator and OneAgent images from Red Hat Container Catalog (RHCC), you need to provide image pull secrets. The Service Accounts on the openshift.yaml manifest already have links to the secrets to be created below. Skip this step if you are using OCP 4.x.

# For OCP 3.11
$ oc -n desk create secret docker-registry redhat-connect --docker-server=registry.connect.redhat.com --docker-username=REDHAT_CONNECT_USERNAME --docker-password=REDHAT_CONNECT_PASSWORD --docker-email=unused
$ oc -n desk create secret docker-registry redhat-connect-sso --docker-server=sso.redhat.com --docker-username=REDHAT_CONNECT_USERNAME --docker-password=REDHAT_CONNECT_PASSWORD --docker-email=unused

For both 4.x and 3.11, we apply the openshift.yaml manifest to deploy the Operator:

$ LATEST_RELEASE=$(curl -s https://api.github.com/repos/desk/desk-oneagent-operator/releases/latest | grep tag_name | cut -d '"' -f 4)
$ oc apply -f https://raw.githubusercontent.com/DESK/desk-oneagent-operator/$LATEST_RELEASE/deploy/openshift.yaml
$ oc -n desk logs -f deployment/desk-oneagent-operator

Create the secret holding API and PaaS tokens for authenticating to the DESK cluster. The name of the secret is important in a later step when you configure the custom resource (.spec.tokens). In the following code-snippet the name is oneagent. Be sure to replace API_TOKEN and PAAS_TOKEN with the values explained above.

$ oc -n desk create secret generic oneagent --from-literal="apiToken=API_TOKEN" --from-literal="paasToken=PAAS_TOKEN"

Save the following custom resource snippet to a file cr.yaml. The rollout of DESK OneAgent is governed by a custom resource of type OneAgent.

Custom resource snippet

Download

apiVersion: desk.com/v1alpha1
kind: OneAgent
metadata:
  # a descriptive name for this object.
  # all created child objects will be based on it.
  name: oneagent
  namespace: desk
spec:
  # desk api url including `/api` path at the end
  apiUrl: https://ENVIRONMENTID.live.desk.com/api
  # disable certificate validation checks for installer download and API communication
  skipCertCheck: false
  # name of secret holding `apiToken` and `paasToken`
  # if unset, name of custom resource is used
  tokens: ""
  # node selector to control the selection of nodes (optional)
  nodeSelector: {}
  # https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ (optional)
  tolerations:
  - effect: NoSchedule
    key: node-role.kubernetes.io/master
    operator: Exists
  # oneagent installer image (optional)
  # certified image from Red Hat Container Catalog for use on OpenShift: registry.connect.redhat.com/desk/oneagent
  # defaults to docker.io/desk/oneagent
  image: ""
  # arguments to oneagent installer (optional)
  # https://www.desk.com/support/help/shortlink/oneagent-docker#limitations
  args:
  - APP_LOG_CONTENT_ACCESS=1
  # environment variables for oneagent (optional)
  env: []
  # resource settings for oneagent pods (optional)
  # consumption of oneagent heavily depends on the workload to monitor
  # please adjust values accordingly
  #resources:
  #  requests:
  #    cpu: 200m
  #    memory: 1Gi
  #  limits:
  #    cpu: 600m
  #    memory: 3Gi
  # priority class to assign to oneagent pods (optional)
  # https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
  #priorityClassName: PRIORITYCLASS
  # disables automatic update of oneagent pods in case a new version is available
  #disableAgentUpdate: true
  # Enable management of Istio service entries and virtual services for DESK endpoints to allow for OneAgent monitoring egress traffic to your DESK environment
  #enableIstio: false

Alternatively, you can use the snippet from the GitHub repository.

$ curl -o cr.yaml https://raw.githubusercontent.com/DESK/desk-oneagent-operator/$LATEST_RELEASE/deploy/cr.yaml

Adapt the values of the custom resource as indicated in the following table.

Parameter	Description	Default value
`apiUrl`	DESK SaaS: Replace `ENVIRONMENTID` with your DESK environment ID in `https://ENVIRONMENTID.live.desk.com/api`. DESK Managed: Provide your DESK Server URL (`https://<YourDESKServerURL>/e/<ENVIRONMENTID>/api`)
`tokens`	Name of the secret that holds the API and PaaS tokens from above.	Name of custom resource (`.metadata.name`) if unset
`image`	Define the OneAgent image to be taken. Defaults to the publicly available OneAgent image on Docker Hub. In order to use the certified OneAgent image from Red Hat Container Catalog you need to set `.spec.image` to `registry.connect.redhat.com/desk/oneagent` in the custom resource and provide image pull secrets as shown in the next step.	`docker.io/desk/oneagent:latest` if unset
`args`	Parameters to be passed to the OneAgent installer. All the command line parameters of the installer are supported, with the exception of `INSTALL_PATH`. We recommend to set `APP_LOG_CONTENT_ACCESS=1`	[]

Other parameters...

Parameter	Description	Default value
`skipCertCheck`	Disable certificate validation checks for installer download and API communication. Set to `true` if you want to skip any certification validation checks.	`false`
`nodeSelector`	Keep empty default value. If you want to roll out OneAgent to specific nodes only, provide the `nodeSelectors` here. Refer to Kubernetes docs for details.	{}
`tolerations`	Keep default value to also roll out the OneAgent to master nodes if possible. If you want to apply additional tolerations to OneAgent pods for tainted nodes, provide them here. Refer to Kubernetes docs for details.	[]
`env`	Environment variables for OneAgent container.	[]
`resources`	Resource requests/limits for the OneAgent pods. These settings heavily depend on size of worker nodes and workloads. Please adjust to fit your needs.	{}
`priorityClassName`	Priority class for OneAgent pod. Refer to Kubernetes docs.
`disableAgentUpdate`	Disable the Operator's auto-update feature for OneAgent pods.	`false`
`enableIstio`	Enable management of Istio service entries and virtual services for DESK endpoints to allow for OneAgent monitoring egress traffic to your DESK environment	`false`

Create the custom resource.

$ oc create -f cr.yaml

Open the OpenShift Container Platform Dashboard.

Navigate to Operators > OperatorHub from the side menu.

Select a project, or create a new one, in which to deploy an Operator. This also creates a Kubernetes namespace of the same name.

Click the DESK OneAgent Operator tile.

Click Install.

The next page will prompt you for information about the operator subscription.

For Installation Mode choose the A specific namespace on the cluster option and select the namespace of the project you created.

Keep the remaining default values and click Subscribe.

Navigate to Operators > Installed Operators in the side menu.

Wait for a status of InstallSucceeded for DESK OneAgent operator.

Navigate to Workloads > Secrets from the side menu.

Create a new Key / Value secret named oneagent with two keys / values:

apiToken equal to your cluster's API token
paasToken equal to your cluster's Platform-as-a-Service token.

Navigate to Operators > Installed Operators in the side menu.

Click on the DESK OneAgent Operator.

Click Create instance.

Replace apiURL value as follows:

spec:
  apiURL: 'https://{api-url}/api'

Click Create.

Limitations

The same limitations apply as when deploying OneAgent as a Docker container, except the auto-update. The operator makes sure OneAgents are properly updated.

Additional schemes

Additional allowed deployment schemes

This paragraph specifies the permitted deployment scheme if it is necessary to place images in an internal centralized repository.

Scheme Description

For OneAgent:

1. Using the *.sh agent image from the supplied distribution;
2. Creating an agent image and placing it in the internal repository.
Example: FROM REGISTRY_ADDRESS/desk/oneagent:latest
#!/bin/bash
docker load -i desk-activegate-image-linux-ubuntu-VERSION.tar.gz
docker tag desk-activegate-image-linux-ubuntu:VERSION
REGISTRY_ADDRESS/desk-activegate-image-linux-ubuntu:VERSION
docker push REGISTRY_ADDRESS/desk-activegate-image-linux-ubuntu:VERSION
docker build -t REGISTRY_ADDRESS/desk-oneagent-immutable-image-linux-x86:VERSION
docker push REGISTRY_ADDRESS/desk-oneagent-immutable-image-linux-x86:VERSION
3. Use a pre-configured yaml file