Example | Installing Edge on OpenShift via default Edge CLI method

Edge enables the Collibra Platform to safely connect to your data sources hosted in an on-premises or cloud environment. It processes the data source information locally on the Edge site and sends the metadeta results to Collibra Platform. By installing an Edge site on OpenShift via the default Edge CLI method, you can:

  • Ensure data stays within your firewall, as only metadata is sent to Collibra.
  • Streamline your Edge site deployment.
  • Ensure the Edge site is always running and can scale its pods as needed using OpenShift’s native capabilities.
  • Reduce manual configuration and administrative oversight during the initial namespace and priority class creation.

Scenario

You are an Edge Administrator and have been asked to deploy an Edge site on your organization's OpenShift Kubernetes cluster. As you security team are happy for Edge to create the required cluster level objects, such as namespaces and priority classes, you decide to install the Edge site via the default Edge CLI method.

Learn how to prepare your environment for and install your Commercial Edge site on an OpenShift Kubernetes cluster via the Edge CLI default method on the latest Collibra UI. In this use case guide, you will do the following:

  • Review and confirm that your environment and OpenShift cluster meet the minimum requirements.
  • Create an Edge site.
  • Install your Edge site.
  • Confirm your newly installed Edge site is healthy.

This guide doesn’t cover the use of a forward proxy. A forward proxy must be configured before you install your Edge site.

Prerequisites

On your local machine

You can confirm, or know who to reach out to in your organization that can confirm, that your server meets the following system and network requirements:

OpenShift cluster

  • OpenShift 4.14, 4.15, 4.16, 4.17, 4.18, and 4.19 are supported for new Edge sites.
  • Your OpenShift cluster must have at least 2 worker nodes.
  • You have admin level access in your cluster.
  • The total cluster capacity has at least 16 core CPU and 64 GB memory, for example, 4 worker nodes each with 4 core CPU and 16 GB.
  • Each worker node has at least 100 GB of free disk space to store Docker images, logs, and ephemeral cluster data.

Server

  • A Linux server for x86_64 architecture where bash is available. This is the server from which you install the Edge software on OpenShift.

    Tip This server will also contain the Edge tools

  • You have a kubeconfig file with plain cluster_admin kubectl access to the OpenShift cluster.
  • The kubeconfig environment variable is set to a kubeconfig that provides plain cluster_admin kubectl access to the OpenShift cluster.
  • Your Kubectl client is compatible with your OpenShift version.

Network

  • An Edge site needs outbound connections to all of the following:
    • The URL of your Collibra Platform environment.
    • https://http-intake.logs.datadoghq.com: This URL is used to collect some of the logs from Edge for issue diagnosis. We do not send JDBC driver logs from Edge to Datadog.
    • https://*.repository.collibra.io: This URL serves as the primary source for downloading the latest Edge docker images from Collibra's docker registry and helm-chart repository.
      Note If the allowlist does not accept wildcards:
      • https://repository.collibra.io
      • https://edge-docker-delivery.repository.collibra.io
      • https://mirror-docker.repository.collibra.io
  • Access to all data sources you need to connect to your Edge sites.

    • Within Collibra

    • To create and install your Edge site:
      • You have enabled database registration via Edge in Collibra Console.

        Note You must restart the Data Governance Center service when you have enabled this option.

      • You have a global role or roles that have the following global permissions:
        • Manage Edge sites
        • Instal Edge sites
        • User Administration

    Create your Edge site

    First, we need to create the Edge site site the on Collibra infrastructure.

    1. On the main toolbar, click Products iconCogwheel icon Settings.
      The Settings page opens.
    2. Click Edge.
      The Sites overview opens.
    3. Above the table, to the right, click Create Site.
      The Create Edge site wizard appears.
    4. Enter the required information.
      1. Site name: OpenShift Edge site.
      2. Description: Our Edge site installed on the OpenShift Kubernetes cluster.
    5. Select the Upgrade Mode for this Edge site.
    6. Click Create Site.
      Your new Edge sites overview appears, including the new Edge site with the status To be installed.

    Install your Edge site

    Once the Edge site is created in Collibra, we can install it on our OpenShift cluster. We will use the default Edge CLI method, as Edge automatically creates the required cluster level objects, such as namespaces and priority classes, for you. As an Edge Administrator, this method reduces manual configuration and ensures your Edge site meets the cluster level requirements.

    1. Download the installer:
      1. Open a site.
        1. On the main toolbar, click Products iconCogwheel icon Settings.
          The Settings page opens.
        2. In the tab pane, click Edge.
          The Sites tab opens and shows a table with an overview of your sites.
        3. In the site overview, click the name of a site.
          The site page appears.
      2. Click Download Installer.
        An Edge user is created in Collibra.

    2. Extract the TGZ archive on the external Linux server which is to install the Edge site on your managed Kubernetes cluster and ensure the directory is not mounted as noexec.

      Copy 
      tar -xf <edge-site-id>-installer.tgz
    3. Set the EDGE_INSTALLER_PATH environment variable to the path of the root of the extracted installer.
      1. Go to the extracted installer and run pwd.The result should look similar to this: 
        /path/to/installer/installer-111e8a59-b842-4f57-970c-32aa72000598
      2. Set the environment variable to the result:
        export EDGE_INSTALLER_PATH=/path/to/installer/installer-111e8a59-b842-4f57-970c-32aa72000598
    4. Run the following command to confirm that the Kubeconfig environment variable has been set to a valid kubeconfig:
      Copy
      echo $KUBECONFIG 
    5. Deploy Security Context Constraints (SCC) which provide Edge service accounts with the required permissions.
      1. Create the SCC file, for example, edge-scc-minimal.yaml, and paste the following information into it:
        Copy
        apiVersion: security.openshift.io/v1
        kind: SecurityContextConstraints
        metadata:
          name: edge-scc-documented
        allowHostDirVolumePlugin: false
        allowHostIPC: false
        allowHostNetwork: false
        allowHostPID: false
        allowHostPorts: false
        allowPrivilegeEscalation: false
        allowPrivilegedContainer: false
        allowedCapabilities: []
        allowedUnsafeSysctls: []
        defaultAddCapabilities: []
        fsGroup:
          type: MustRunAs
        priority: null
        readOnlyRootFilesystem: true
        requiredDropCapabilities: []
        runAsUser:
          type: MustRunAs
          uid: 1000
        seLinuxContext:
          type: MustRunAs
          seLinuxOptions:
            level: "s0"
            role: "system_r"
            type: "container_t"
            user: "system_u"
        seccompProfiles:
          - 'runtime/default'
        supplementalGroups:
          type: MustRunAs
        # who can use it
        users: []
        groups: [system:authenticated]
      2. Create the SCC-role file, for example, edge-scc-role-minimal.yaml, and paste the following information into it:
        Copy
        # File: edge-scc-role-minimal.yaml
        apiVersion: rbac.authorization.k8s.io/v1
        kind: Role
        metadata:
          name: edge-scc-minimal
        rules:
        - apiGroups:
          - security.openshift.io
          resourceNames:
          - edge-scc-minimal
          resources:
          - securitycontextconstraints
          verbs:
          - use
        ---
        apiVersion: rbac.authorization.k8s.io/v1
        kind: RoleBinding
        metadata:
          name: edge-scc-minimal
        subjects:
        - kind: Group
          name: system:serviceaccounts
          apiGroup: rbac.authorization.k8s.io
        roleRef:
          kind: Role
          name: edge-scc-minimal
          apiGroup: rbac.authorization.k8s.io
      3. Deploy both the SCC and SCC-role files:
        Copy
        kubectl apply -f edge-scc-minimal.yaml
        kubectl apply -f edge-scc-role-minimal.yaml -n <my-namespace>
    6. As we want only want save the output to the Edge terminal, as well as specify a namespace and registry, we are going to run the following command:
      ./edgecli install -n edge-namespace
     --is-openshift
     --registry-url https://private-docker.registry.com 
     --registry-user user1 
     --registry-pass pass12
      • We added a namespace to the Edge site to ensure it is unique on the cluster. This allows us to install other Edge sites to this cluster.
      • As we have a registry, we added our registry URL, username, and password. Now our Edge site can authenticate to our private registry.
      In the Edge site's overview, we can see the status of our new installation.
    7. Lastly, we run the following command to verify the status of the installation.
      Copy
      kubectl get pods -n collibra-edge

    Sources

    What's next