Migration from OpenShift to Anthos/GKE Cluster

[DRAFT]

This guide provides scripts and tools to migration cluster configurations and workloads from an OpenShift Cluster to Anthos or GKE Cluster.

Migrating OpenShift Project Configurations

This section addresses migrating openshift projects, cluster level configurations and project level configurations to the target cluster. This process is semi-automated because certain decisions require choices to be made by the person who is migrating. Also the procedure allows you to either migration an application at a time or all the workloads running on a cluster.

Prerequisites

Linux bash shell: These scripts have been tested on an Ubuntu linux box
oc - openshift client. Login to the OpenShift cluster from which you are migrating. These scripts expect that you have cluster-wide read access to the openshift cluster so that you are able to export cluster configuration
yq - yaml processing tool
Install Google Cloud SDK and login with your Google credentials via SDK

Export Project Configurations

Export Projects to Namespaces
Export ClusterResourceQuotas to K8S ResourceQuotas
Export ClusterRoles and ClusterRoleBindings
Capture NetNamespaces data
Export Project Level Resource Quotas
Export Project Level Service Accounts, Roles and RoleBindings
Capture Egress Network Policies data
Apply NetworkPolicies based on EgressNetworkPolicies (WIP)

All the steps in the above documentation links should be read. Once you read and understand, you can run the following scripts rather than individually copy pasting the scripts. These scripts will generate a folder named clusterconfigs with the manifests that can be applied to the target GKE Cluster. The folder structure follows ACM repo layout. You can create a git repo and apply this using ConfigSync to an Anthos Cluster.

Run script#1 that exports namespaces, clusterresourcequotas and cluster roles.

chmod +x ./scripts/migrateScript1.sh
./scripts/migrateScript1.sh

Review the namespace manifests generated in the clusterconfigs/namespaces and remove the ones that don't need to be migrated
Review ClusterRoles in the clusterconfigs/cluster/cluster-roles folder and remove the ones that don't need to be migrated
Run script#2 to export ClusterRoleBindings and namespace Level configurations.

chmod +x ./scripts/migrateScript2.sh
./scripts/migrateScript2.sh

Review the Service Accounts, Roles and RoleBindings that are generated in the individual namespace folders and remove the ones that don't need to be migrated to the target cluster
Review ClusterResourceQuotas in clusterconfigs/to-review/cluster-resource-quotas and copy the templates to create namespace specific quotas in the namespace folders with namespace based allocations
Review NetNamespaces in the clusterconfigs/to-review/net-namespaces folder. Handling TBD

Apply Configurations with Anthos Config Manager (ACM)

Stand up a Anthos cluster if you don't already have one and install Anthos Config Management Components
Install nomos
Initialize clusterconfigs repo

cd clusterconfigs
nomos init --force

Create a git repository to host the structure. Initialize the clusterconfig folder as a git repo and push the to git repo.
Install ConfigSync. Configure the git repo as the Sync Repo
Login to the Anthos Cluster and verify that the manifests from the repository are applied.

Migrating OpenShift SCCs to ACM Constraints

Security Policies will be applied on the Anthos Cluster using ACM Policy Controller. Constraints can be created using constraint template library that google provides or you can write your own constraint templates.

Install Policy Controller. Exclude the following namespaces from policy controller (refer Exempt namespaces). Review the list, you may have more to exclude depending on which namespaces you don't want to apply policies to.

kube-system
kube-public
gke-connect
gke-system
config-management-system
gatekeeper-system
istio-system
cnrm-system
knative-serving
monitoring-system

Verify that the constraint policy templates are installed by running kubectl get constrainttemplates
Set up Restricted Constraints on the cluster
Relax constraints for special workloads (WIP)

Migrating Workloads to Target GKE Cluster

Export Application Manifests such as deployment configurations, deployments, services, routes, persistent volumes, config maps from each namespace on the OpenShift cluster.

These can be exported individually on a per namespace basis or you can run the following script to export them for all the selected namespaces in clusterconfigs/namespaces folder. The source manifests are copied into ocp-manifests/namespaces folder in order to convert them in the next step.
```
./scripts/exportApplicationManifests.sh
```
CAUTION While secrets can also be copied from the OpenShift cluster, since this is sensitive data you may want to use discretion on copying secrets vs applying them directly on the target cluster. So, DON'T RUN THE COMMAND BELOW until you are ABSOLUTELY SURE that you want to copy secrets from the source cluster.
```
./scripts/exportSecrets.sh
```
Migrate Images from OpenShift Internal Registry, if required. This is needed only if the application images are stored in OpenShift Internal Registry.

WIP

Migrate Persistent Data

WIP

dazdaz/MigratingFromOpenShiftToGKE