[DRAFT]
This guide provides scripts and tools to migration cluster configurations and workloads from an OpenShift Cluster to Anthos or GKE Cluster.
This section addresses migrating openshift projects, cluster level configurations and project level configurations to the target cluster. This process is semi-automated because certain decisions require choices to be made by the person who is migrating. Also the procedure allows you to either migration an application at a time or all the workloads running on a cluster.
-
Linux bash shell: These scripts have been tested on an Ubuntu linux box
-
oc
- openshift client. Login to the OpenShift cluster from which you are migrating. These scripts expect that you have cluster-wide read access to the openshift cluster so that you are able to export cluster configuration -
yq
- yaml processing tool -
Install Google Cloud SDK and login with your Google credentials via SDK
- Export Projects to Namespaces
- Export ClusterResourceQuotas to K8S ResourceQuotas
- Export ClusterRoles and ClusterRoleBindings
- Capture NetNamespaces data
- Export Project Level Resource Quotas
- Export Project Level Service Accounts, Roles and RoleBindings
- Capture Egress Network Policies data
- Apply NetworkPolicies based on EgressNetworkPolicies (WIP)
All the steps in the above documentation links should be read. Once you read and understand, you can run the following scripts rather than individually copy pasting the scripts. These scripts will generate a folder named clusterconfigs
with the manifests that can be applied to the target GKE Cluster. The folder structure follows ACM repo layout. You can create a git repo and apply this using ConfigSync to an Anthos Cluster.
- Run script#1 that exports namespaces, clusterresourcequotas and cluster roles.
chmod +x ./scripts/migrateScript1.sh
./scripts/migrateScript1.sh
- Review the namespace manifests generated in the
clusterconfigs/namespaces
and remove the ones that don't need to be migrated - Review ClusterRoles in the
clusterconfigs/cluster/cluster-roles
folder and remove the ones that don't need to be migrated - Run script#2 to export ClusterRoleBindings and namespace Level configurations.
chmod +x ./scripts/migrateScript2.sh
./scripts/migrateScript2.sh
- Review the Service Accounts, Roles and RoleBindings that are generated in the individual namespace folders and remove the ones that don't need to be migrated to the target cluster
- Review ClusterResourceQuotas in
clusterconfigs/to-review/cluster-resource-quotas
and copy the templates to create namespace specific quotas in the namespace folders with namespace based allocations - Review NetNamespaces in the
clusterconfigs/to-review/net-namespaces
folder. Handling TBD
- Stand up a Anthos cluster if you don't already have one and install Anthos Config Management Components
- Install nomos
- Initialize
clusterconfigs
repo
cd clusterconfigs
nomos init --force
- Create a git repository to host the structure. Initialize the
clusterconfig
folder as a git repo and push the to git repo. - Install ConfigSync. Configure the git repo as the Sync Repo
- Login to the Anthos Cluster and verify that the manifests from the repository are applied.
Security Policies will be applied on the Anthos Cluster using ACM Policy Controller. Constraints can be created using constraint template library that google provides or you can write your own constraint templates.
- Install Policy Controller. Exclude the following namespaces from policy controller (refer Exempt namespaces). Review the list, you may have more to exclude depending on which namespaces you don't want to apply policies to.
kube-system
kube-public
gke-connect
gke-system
config-management-system
gatekeeper-system
istio-system
cnrm-system
knative-serving
monitoring-system
-
Verify that the constraint policy templates are installed by running
kubectl get constrainttemplates
-
Relax constraints for special workloads (WIP)
-
Export Application Manifests such as deployment configurations, deployments, services, routes, persistent volumes, config maps from each namespace on the OpenShift cluster.
These can be exported individually on a per namespace basis or you can run the following script to export them for all the selected namespaces in
clusterconfigs/namespaces
folder. The source manifests are copied intoocp-manifests/namespaces
folder in order to convert them in the next step../scripts/exportApplicationManifests.sh
CAUTION While secrets can also be copied from the OpenShift cluster, since this is sensitive data you may want to use discretion on copying secrets vs applying them directly on the target cluster. So, DON'T RUN THE COMMAND BELOW until you are ABSOLUTELY SURE that you want to copy secrets from the source cluster.
./scripts/exportSecrets.sh
-
Migrate Images from OpenShift Internal Registry, if required. This is needed only if the application images are stored in OpenShift Internal Registry.
WIP
WIP