# Installation on Red Hat OpenShift using the Operator
# Overview
The following tutorial shows how to install an Entando Application using the Entando Operator and covers a few common enterprise configurations. You may also find the alternative manual instructions useful.
Scenario 1 is similar to the Entando quickstart style of deployment which can be applied in many environments, including on developer laptops. The subsequent scenarios build on that initial setup but can also be performed independently. Unless otherwise noted, you have the freedom to keep or modify the default options when installing the Entando Operator and other resources.
# Prerequisites
- OpenShift 4.8.x
- Cluster-admin access to OpenShift for initial installation of the Entando Operator
- Familiarity with the OpenShift console and operation
# Add the Entando Operator to the OperatorHub
A cluster admin can add the 7.0 version of the Entando Operator into the local OperatorHub using the following command.
oc apply -f https://raw.githubusercontent.com/entando/entando-releases/v7.0.2/dist/ge-1-1-6/samples/openshift-catalog-source.yaml
# Scenario 1 - Embedded Database
The initial scenario deploys the operator and Entando Application into a single namespace. We start with the smallest application footprint by using an embedded database, although this is not recommended for production use cases.
- Locate the Entando Operator in the
Operators
→OperatorHub
. Make sure to select the appropriate version. - Click
Install
to view the Entando Operator install options - Select
A specific namespace on the cluster
for theInstallation mode
- Choose an empty namespace for
Installed Namespace
. You can create one fromHome
→Projects
first, if needed, e.g.entando-one
. - Click
Install
to install the operator into your target namespace - The install may take a few minutes to complete, after which you can click
View Operator
to see the operator in your namespace. You can also go toOperators
→Installed Operators
at any time and select it from there. - Now go to
EntandoApp
and clickCreate EntandoApp
- Keep the default
my-app
as your application name or select your own - Select the EntandoApp version:
7.0
- Keep the default
- Provide an
Ingress Host Name
specific to your namespace, e.g.my-app.YOUR-BASE-OPENSHIFT-URL
. In CRC you can keep the defaultentando.apps-crc.testing
for your first project. - Change the
DBMS
value toembedded
. This is the lightest and quickest way to test a full Entando Application. However, a non-embedded relational database is strongly recommended for production use. - Click
Create
. The Entando Operator proceeds to deploy the appropriate resources. - Go to
EntandoApp
→my-app
to check the status of the deploy
See the Next Steps below to continue your work with Entando.
# Scenario 2 - PostgreSQL
For this scenario we prepare a more production-like configuration. Here we switch from an embedded on-disk database to a dedicated PostgreSQL database. This scenario starts where step 6 ends in the previous scenario. If you already ran Scenario 1, you can either go to that project and remove the EntandoApp and ProvidedCapabilities via Installed Operators
→ Entando Operator
or prepare a new project using steps 1-5 above.
Now create a new application, this time using PostgreSQL.
- Go to
EntandoApp
and clickCreate instance
- Keep the default
my-app
as your application name or select your own - Select the EntandoApp version:
7.0
- Keep the default
- Set the
Ingress Host Name
as in Scenario 1 above - Keep the default
DBMS
value ofpostgresql
- Click
Create
. The Entando Operator now deploys the appropriate resources as in Scenario 1 but with the addition of a PostgreSQL database deployment.
See the Next Steps below to continue your work with Entando.
# Scenario 3 - PostgreSQL plus OpenShift SSL
This scenario sets up PostgreSQL, like Scenario 2, but also enables SSL using OpenShift's internal Certificate Authority (CA). As a starting point, you can either remove the EntandoApp and ProvidedCapabilities using the Entando Operator or you can prepare a new project per steps 1-5 in Scenario 1.
- Using your browser, examine and save the SSL certificate for your environment
- In Chrome, go to any OpenShift console page and click on
View Site Information
next to the URL. Note that it may be labeledNot secure
. - Go to
Details
->Copy to File
and save the certificate as a Base-64 encoded X.509 file, e.g.openshift.cer
.
- In Chrome, go to any OpenShift console page and click on
- Go to
Workloads
→Secrets
→Create
and selectKey/value secret
- Set the
Secret Name
, e.g.entando-ca-cert-secret
- Set the
Key
, e.g.openshift.cer
- Set the
Value
by clickingBrowse...
and loading the file you saved in Step 1 - Click
Create
- Next, go to
Workloads
→ConfigMaps
and create or update the ConfigMap namedentando-operator-config
. This is the ConfigMap used by the operator to configure the deployments. You can download the Entando Operator template as a starting point. Set the "data/entando.ca.secret.name" to match the name from step 3.
data:
entando.ca.secret.name: entando-ca-cert-secret
entando.use.auto.cert.generation: 'true'
- Click
Create
Now let's create a new application similar to Scenario 2, but with OpenShift SSL in place.
- Go to
EntandoApp
and clickCreate instance
- Keep the default
my-app
as your application name or select your own - Select the EntandoApp version:
7.0
- Set the
Ingress Host Name
as in Scenario 1 above - Keep the default
DBMS
value ofpostgresql
- Keep the default
- Click
Create
. The Entando Operator proceeds to deploy the appropriate resources.
Once the deployment is complete, you can confirm that all routes use HTTPS with OpenShift's CA. You may still see security warnings in the browser.
See the Next Steps below to continue your work with Entando.
# Scenario 4 - PostgreSQL plus Self-Signed SSL
This scenario is similar to Scenario 3, but here you'll use a self-signed certificate instead of a certificate provided by OpenShift's internal Certificate Authority. As a starting point, you can either remove the EntandoApp and Provided Capabilities from the previous scenarios or prepare a new project per steps 1-5 in Scenario 1.
Start by creating a self-signed certificate and then prepare the Secrets and ConfigMap to match. There are various ways to create an X.509 self-signed certificate, so you can use your preferred mechanism.
- Using OpenSSL (opens new window), create a certificate for your application. You'll need to adjust the Common Name (CN) value to match the
Ingress Host Name
for your project.
openssl req -nodes -x509 -newkey rsa:4096 -keyout tls.key -out tls.crt -days 365 -subj "/CN=entando.apps-crc.testing"
You should see output similar to this:
Generating a RSA private key
.....................................................................++++
........................................................................................................................................................................................++++
writing new private key to 'tls.key'
-----
Now you can create a TLS Secret using the generated files.
- Go to
Workloads
→Secrets
→Create
and selectFrom YAML
. Use the following YAML as a starting point and then clickCreate
.
kind: Secret
apiVersion: v1
metadata:
name: entando-tls-secret
data:
tls.key: ''
tls.crt: ''
type: kubernetes.io/tls
- Click on
Actions
→Edit Secret
and use theBrowse...
buttons to upload the key and cert files.
Now create the entando-ca-cert-secret
Secret, similar to what was done in Scenario 3, but this time using the self-signed certificate.
Go to
Workloads
→Secrets
→Create
and selectKey/value secret
For multiple certificates, see note below on Certificate Chains.Set the
Secret Name
, e.g.entando-ca-cert-secret
Set the
Key
, e.g.tls.crt
Set the
Value
by clickingBrowse...
and loading the cert file from Step 1, e.g.tls.crt
Click
Create
Next, go to
Workloads
→ConfigMaps
and update or create a ConfigMap namedentando-operator-config
. This is the ConfigMap used by the operator to configure the deployments. You can download the Entando Operator template as a starting point. Set the "data/entando.ca.secret.name" and "data/entando.tls.secret.name" to match the names from above.
data:
entando.ca.secret.name: entando-ca-cert-secret
entando.tls.secret.name: entando-tls-secret
- Click
Create
Now let's create a new application similar to Scenario 3, but with the self-signed SSL certificate.
- Go to
EntandoApp
and clickCreate instance
- Keep the default
my-app
as your application name or select your own - Select the EntandoApp version:
7.0
- Set the
Ingress Host Name
as in Scenario 1 above. It should match the CN used to generate the certificate in step 1. - Keep the default
DBMS
value aspostgresql
- Click
Create
. The Entando Operator now proceeds to deploy the appropriate resources.
Once the deployment is complete, you can confirm that all routes use HTTPS with the self-signed certificate. You may still see security warnings in the browser.
# Note: Certificate Chains
If you have multiple certificates to load into OpenShift, you must pass each with its own identifier.
ca0.crt: → a single CA certificate
ca1.crt: → another CA certificate
...
ca5.crt → last CA certificate
See the Next Steps below to continue your work with Entando.
# Next Steps
Once you've completed any of the scenarios above, you have several options.
- Check out
Networking
→Routes
to see the URLs for the running services. Common starting points include the Entando App Builder (e.g.http://entando.apps-crc.testing/app-builder/
) or the Entando Application itself (e.g.http://entando.apps-crc.testing/entando-de-app/
). - See the Entando Operator Configuration for options related to timeout settings and the default image registry.
- This suggested list of next steps could also be useful.