--- title: Getting started weight: 10 aliases: /layered-zero-trust/lzt-getting-started/ --- :toc: :imagesdir: /images :_mod-docs-content-type: ASSEMBLY include::modules/comm-attributes.adoc[] [id="lzt-deploying-lzt-pattern"] = Deploying the Layered Zero Trust pattern Follow these instructions to configure and deploy the Layered Zero Trust pattern. .Prerequisites * An {ocp} 4.20 or newer cluster with: .. publicly signed certificates for Ingress. .. default `StorageClass` which provides dynamic `PersistentVolume` storage. * To customize the default configuration, you must have a GitHub account and a token with repositories permissions, to read from and write to your forks. * Access to Podman (or Docker) for execution of the container images used by `pattern.sh` script for provisioning. * Fulfill the general link:https://validatedpatterns.io/learn/quickstart/#_prerequisites[prerequisites for Validated Patterns]. * Depending on the characteristics of your cluster, you might need additional hardware resources for the {rh-rhacm-first} component. For a single-node cluster, you can start with 4 vCPUs, 16 GB of memory, and 120 GB of storage. + For more details about {rh-rhacm} sizing, see link:https://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.14/html-single/install/index#sizing-your-cluster[Sizing your cluster]. * (Optional) The Helm binary, for instructions, see link:https://helm.sh/docs/intro/install/[Installing Helm]. [NOTE] ==== The Layered Zero Trust pattern's default deployment assumes that none of its components have been installed previously. Verify that your {ocp} environment does not already contain any of xref:/patterns/layered-zero-trust/index.html#architecture [the listed components] before proceeding. ==== [id="lzt-repository-setup"] == Repository setup Follow these instructions for setting up the project repository: . Fork the layered-zero-trust repository from GitHub. You must fork the repository because your fork is updated as part of the GitOps and DevOps processes. . Clone your forked repository. + [source,terminal] ---- $ git clone git@github.com:/layered-zero-trust.git ---- . Go to your repository: Ensure you are in the root directory of your Git repository by using the following command: + [source,terminal] ---- $ cd ---- . Set up upstream remote repository: + [source,terminal] ---- $ git remote add -f upstream git@github.com/validatedpatterns/layered-zero-trust.git ---- . Verify the setup of your remote repositories by running the following command: + [source,terminal] ---- $ git remote -v ---- + Example output: + [source,terminal] ---- origin git@github.com:/layered-zero-trust.git (fetch) origin git@github.com:/layered-zero-trust.git (push) upstream https://github.com/validatedpatterns/layered-zero-trust.git (fetch) upstream https://github.com/validatedpatterns/layered-zero-trust.git (push) ---- + [WARNING] ==== The Layered Zero Trust pattern's default deployment assumes that none of its components have been installed previously. Verify that your {ocp} environment does not already contain any of xref:/patterns/layered-zero-trust/index.html#architecture [the listed components] before proceeding. ==== . Create a local copy of the secret values file that can safely include credentials. Run the following command: + [source,terminal] ---- $ cp values-secret.yaml.template ~/values-secret-layered-zero-trust.yaml ---- + [NOTE] ==== To prevent pushing secrets to your Git repository, the command places the `values-secret.yaml` file in your home directory. You derive this file from the `values-secrets.yaml.template` file located in the pattern's top-level directory. When you create new patterns, add your secrets to the `values-secret.yaml` file in your home directory. ==== . Create a new feature branch, for example `my-branch` from the `main` branch for your content: + [source,terminal] ---- $ git checkout -b my-branch main ---- . (Optional) To customize the execution of the pattern, optionally change the Helm values files and then commit the changes. + [source,terminal] ---- $ git add $ git commit -m "Pattern customization" ---- + [NOTE] ==== The following configuration files define the behavior and settings of the various components in the Layered Zero Trust pattern. You can customize these files to fit your specific deployment needs. * `values-global.yaml`: Global pattern configuration * `values-hub.yaml`: Hub cluster specific configuration * `values-secret.yaml`: Secret values (created from template) * `values-.yaml`: Environment-specific overrides (AWS, Azure, GCP) ==== . Push the changes from your local branch to your forked repository. + [source,terminal] ---- $ git push origin my-branch ---- [id="deploying-cluster-using-patternsh-file"] == Deploying the pattern by using the pattern.sh file Deploy the Layered Zero Trust pattern by using the `pattern.sh` script. . Login to your {ocp} cluster: .. By using the `oc` CLI: * Get an API token by visiting `pass:[https://oauth-openshift.apps../oauth/token/request]`. * Log in with the retrieved token: + [source,terminal] ---- $ oc login --token= --server=https://api..:6443 ---- .. By using KUBECONFIG: + [source,terminal] ---- $ export KUBECONFIG=~/ ---- . Run the pattern deployment script: + [source,terminal] ---- $ ./pattern.sh make install ---- [id="lzt-verify-deployment"] === Verify the deployment The Layered Zero-Trust pattern provisions every component and manages them through {ocp} GitOps. After you deploy the pattern, verify that all components are running correctly. The Layered Zero-Trust pattern installs the following two {ocp} GitOps instances on your Hub cluster. You can view these instances in the {ocp} web console by using the **Application Selector** (the icon with nine small squares) in the top navigation bar. . **Cluster Argo CD**: Deploys an *App-of-Apps* application named `layered-zero-trust-hub`. This application installs the pattern's components. . **Hub Argo CD**: Manages Cluster Argo CD instance and the individual components that belong to the pattern on the hub {ocp} instance. If every Argo CD application reports a **Healthy** status, the pattern has been deployed successfully. [id="lzt-importing-existing-clusters"] == Importing existing clusters The pattern supports importing pre-existing {ocp} clusters into the Hub cluster, converting them into *Managed Clusters*. [WARNING] ==== Do not use the `ClusterPools` configuration settings for {rh-rhacm} chart provisioning. The `ClusterPools` technology is limited to cloud environments. Instead, use the `acm-managed-clusters` chart to import your existing standalone clusters. ==== .Procedure . Copy the `kubeconfig` file of the cluster you want to import to your local system. . In the `values-secret.yaml` file, define the `kubeconfig` secret by providing the local file system path to the `kubeconfig` file you copied in Step 1. + [source,yaml] ---- - name: kubeconfig-spoke vaultPrefixes: - hub fields: - name: content path: ~/.kube/kubeconfig-ztvp-spoke ---- . In the `values-hub.yaml` file, add a new entry in the `clusterGroup.managedClusterGroups` key. + [source,yaml] ---- managedClusterGroups: exampleRegion: name: group-one acmlabels: - name: clusterGroup value: group-one helmOverrides: - name: clusterGroup.isHubCluster value: false ---- . Also in the `values-hub.yaml` file, add your cluster definition in the `acmManagedClusters.clusters` key. + [source,yaml] ---- acmManagedClusters: clusters: - name: ztvp-spoke-1 clusterGroup: group-one labels: cloud: auto-detect vendor: auto-detect kubeconfigVaultPath: secret/data/hub/kubeconfig-spoke ---- . Deploy the pattern.