Installing Kuadrant Service Protection into an existing OCM Managed Cluster

Introduction

This walkthrough will show you how to install and setup the Kuadrant Operator into an OCM Managed Cluster.

Prerequisites

• Access to an Open Cluster Management(OCM) (>= v0.11.0) Managed Cluster, which has already been bootstrapped and registered with a hub cluster
• We have a guide which covers this in detail
• For more information on OCM also see:
  • OCM quick start
  • Managed cluster
• Kubectl (>= v1.14.0)
• OLM installed on the ManagedCluster where you want to run the Kuadrant Service Protection components
• For installation guides please see:
  • Operator-sdk
  • OLM
• Istio operator v1.20.0 installed on the spoke clusters
• Please see install guide here
• Gateway API v1
• To install please use: kubectl apply -f "https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.0.0/standard-install.yaml"
• For more information please see: GatewayAPI DOCs

Install the Kuadrant OCM Add-On

To install the Kuadrant Service Protection components into a spoke ManagedCluster, target your OCM Hub cluster with kubectl and run:

kubectl apply -k "github.com/kuadrant/multicluster-gateway-controller.git/config/service-protection-install-guide?ref=release-0.3" -n namespace-of-your-managed-spoke-cluster-on-the-hub

The above command will install the ManagedClusterAddOn resource needed to install the Kuadrant addon into the namespace representing a spoke cluster, and install the Kuadrant data-plane components into the open-cluster-management-agent-addon namespace.

The Kuadrant addon will install:

• Kuadrant Operator
• Limitador (and its associated operator)
• Authorino (and its associated operator)

For more details, see the Kuadrant components installed by the kuadrant-operator

OLM and OpenShift CatalogSource

The Kuadrant OCM (Open Cluster Management) Add-On depends on the Operator Lifecycle Manager (OLM)'s CatalogSource. By default, this is set to olm/operatorhubio-catalog.

In OpenShift environments, OLM comes pre-installed. However, it is configured to use the openshift-marketplace/community-operators CatalogSource by default, not the olm/operatorhubio-catalog.

To align the Kuadrant add-on with the OpenShift default CatalogSource, you can patch the add-on's CatalogSource configuration. Run the following command (note it needs to be run for each managed cluster where the add-on is installed):

kubectl annotate managedclusteraddon kuadrant-addon "addon.open-cluster-management.io/values"='{"CatalogSource":"community-operators", "CatalogSourceNS":"openshift-marketplace"}' -n managed-cluster-ns

Existing Istio installations and changing the default Istio Operator name

In the case where you have an existing Istio installation on a cluster, you may encounter an issue where the Kuadrant Operator expects Istio's Operator to be named istiocontrolplane.

The istioctl command saves the IstioOperator CR that was used to install Istio in a copy of the CR named installed-state.

To let the Kuadrant operator use this existing installation, set the following:

kubectl annotate managedclusteraddon kuadrant-addon "addon.open-cluster-management.io/values"='{"IstioOperator":"installed-state"}' -n <managed spoke cluster>

This will propagate down and update the Kuadrant Operator, used by the Kuadrant OCM Addon.

Changing the name of the channel to use

If you want to use a different channel with the ManagedClusterAddon to install the kuadrant operator. You can do so by overriding the channel with the follow annotation:

kubectl annotate managedclusteraddon kuadrant-addon "addon.open-cluster-management.io/values"='{"CatalogSourceNS":"openshift-marketplace", "CatalogSource":"community-operators", "Channel":"preview"}' -n managed-cluster-ns

This will propagate down and update the Kuadrant Subscription, used by OLM in the spoke.

Verify the Kuadrant addon installation

To verify the Kuadrant OCM addon has installed currently, run:

kubectl wait --timeout=5m -n kuadrant-system kuadrant/kuadrant-sample --for=condition=Ready

You should see the namespace kuadrant-system, and the following pods come up:

• authorino-value
• authorino-operator-value
• kuadrant-operator-controller-manager-value
• limitador-value
• limitador-operator-controller-manager-value

Further Reading

With the Kuadrant data plane components installed, here is some further reading material to help you utilise Authorino and Limitador:

Getting started with Authorino Getting started With Limitador