Configure Environment Variables in OpenShift
This topic describes the specific environment variables that a Container Gateway uses in an OpenShift deployment.
gateway93
This topic describes the specific environment variables that a Container Gateway uses in an OpenShift deployment.
IMPORTANT:
Although symbols can be used in the ssg.adminusername
and ssg.adminpassword
variables, certain symbols such as @ ! # , %
cannot be used as the first character of the input and a colon (:
) cannot be used as the last character of the input. This is due to a mixture of the oc
process command and script interpretation. CA Technologies recommends that all string begin with an alphanumeric character and ends with either an alphanumeric character or a symbol that is not a colon.Contents:
Image Pull
The
container-gateway.env
sample file is an example of where OpenShift should pull an image from.Variable | Required? | Default | Description |
DOCKER_REGISTRY | Yes | - | Docker registry's hostname
|
DOCKER_IMAGE_NAME | Yes | - | Container image name
|
DOCKER_IMAGE_TAG | Yes | - | Container image's tag
|
DOCKER_REGISTRY_INSECURE | Yes | - | An image stream can be configured to import tag and image metadata from insecure image registries, such as those signed with a self-signed certificate or using plain HTTP instead of HTTPS. Set this value to false .
|
Secrets
Refer to the official OpenShift documentation on how to properly configure and manage your secrets in OpenShift. The sample file is an example of how to use the OpenShift secrets management, but there are more advanced usages available in their documentation.
For more information, see the sample OpenShift deployment files.
Image-Pull Secret Resource
A pod's service account determines which secrets the pod is allowed to use. One use of these secrets is to provide credentials used when pulling images for the pod's containers. The
oc
commands in the example below, taken from the sample deploy.sh
script, show how to create a new .dockercfg
file for the secured registry, then configuring the secrets to be used for image pulling.#create secret resourceforthedocker registryoc secretsnew-dockercfg my_docker_registry_resource_name --docker-server=my_docker_registry_hostname.com --docker-username=myusername --docker-password=mypassword --docker-email=nobody@ca.com#link secret resource to the service accountoc secrets link serviceaccount/defaultsecret/my_docker_registry_resource_name --for=pull
Environment Variable Secret Resource
The
container-gateway-secrets.yml
holds the template for the secret resource containing the environment variables. By updating the paths to the SSG_LICENSE.xml
and (optionally) the SSLKEY.p12
files, they are passed properly to the template and used to create the secrets resource. Any password, hostname, or data that you do not want to have shown as plain-text (inside OpenShift) can be put into this secrets.yml
file.echo"--Setting the license and SSL key"# The stringsforLICENSE and SSLKEY should not contain anynewlines,forwindows you can use |base64 --wrap=0echo"LICENSE=\"$(gzip -c ~/workspace/gateway/LICENSE.xml | base64)\""> LICENSE.gz.base64echo"SSLKEY=\"$(cat ~/workspace/gateway/SSLKEY.p12 | base64)\""> SSLKEY.base64echo"--Creating the secrets"oc process -f container-gateway-secrets.yml --param-file=LICENSE.gz.base64 --param-file=SSLKEY.base64 | oc create -f -
The secrets data needs to match the Container Gateway's configuration yml file. For example, the
ssg.adminusername
value stated in this template file should match the value inside the env configuration in container-gateway.yml
.- name: SSG_ADMIN_USERNAME valueFrom: secretKeyRef: name: containergateway key: ssg.adminusername