|
 |
8615fe |
# Openshift
|
|
|
8615fe |
|
|
|
8615fe |
We have to support multiple (but not so many) Openshift/OCP 4.x clusters , deployed at various places and deployed differently, based on some rules/constraints,etc.
|
|
|
8615fe |
|
|
|
8615fe |
What is common is that we need official subscription, and managed centrally, from https://console.redhat.com/openshift (see inventory for credentials and/or internal emails)
|
|
|
8615fe |
|
|
|
8615fe |
## AWS
|
|
|
8615fe |
### deployment
|
|
|
8615fe |
|
|
|
8615fe |
To deploy in AWS, one can use the [adhoc-deploy-ocp-aws](https://github.com/CentOS/ansible-infra-playbooks/blob/master/adhoc-deploy-ocp-aws.yml) playbook.
|
|
|
8615fe |
But you need first to read *all* the [current](https://docs.openshift.com/container-platform/4.11/welcome/index.html) documentation to understand what is needed
|
|
|
8615fe |
Before running the playbook, you'll need :
|
|
|
8615fe |
|
|
|
8615fe |
* Configure [needed Route53](https://docs.openshift.com/container-platform/4.11/installing/installing_aws/installing-aws-account.html#installation-aws-route53_installing-aws-account) public zone for the ocp sub-domain (and have delegation working)
|
|
|
8615fe |
* needed aws access key and secret for [IAM role](https://docs.openshift.com/container-platform/4.11/installing/installing_aws/manually-creating-iam.html) able to create VPC, update route53, deploy EC2 instances , etc (see doc)
|
|
|
8615fe |
* get official subscription/pull secret from https://console.redhat.com/openshift
|
|
|
8615fe |
* prepare your ansible group with all [needed variables](https://github.com/CentOS/ansible-infra-playbooks/blob/master/adhoc-deploy-ocp-aws.yml#L3)
|
|
|
8615fe |
|
|
|
8615fe |
!!! warning
|
|
|
8615fe |
Be sure to review the VPC settings/subnets that openshift-install binary will create once running and ensure no overlap
|
|
|
8615fe |
|
|
|
8615fe |
### management
|
|
|
8615fe |
|
|
|
8615fe |
Depending on the env, the [ocp-admin-node](https://github.com/CentOS/ansible-role-ocp-admin-node) can be used to :
|
|
|
8615fe |
|
|
|
8615fe |
* deploy/replace TLS certificates
|
|
|
8615fe |
* backup etcd nodes data on daily basis
|
|
|
8615fe |
* configure openshift for some settings (see role)
|
|
|
8615fe |
* add/remove projects/groups/namespaces
|
|
|
8615fe |
|
|
|
8615fe |
|
|
|
8615fe |
### authentication
|
|
|
8615fe |
|
|
|
8615fe |
We don't want to use the internal auth but instead rely on FAS/ACO so the first thing can be done is to tie openshift to ipsilon (id.centos.org (or id.stg.centos.org).
|
|
|
8615fe |
|
|
|
8615fe |
This is configured by the `ocp-admin-role` but it needs some variables first, so create the ocp cluster client id at the ipsilon side (admin operation) and then update the ansible invetory for all the `ocp_idp_` variables.
|
|
|
8615fe |
|
|
|
8615fe |
Once applied through the role, openshift will allow to login through FAS/ACO.
|
|
|
8615fe |
Worth knowing that the `ocp_fas_sync` boolean lets you also automatically create projects/groups/namespaces/RBACs for the groups starting with `ocp_fas_group_prefix` (for example for OCP ci, the IPA/FAS groups are all prefixed `ocp-cico-`)
|
|
|
8615fe |
|
|
|
8615fe |
### Storage for PersistentVolumes
|
|
|
8615fe |
|
|
|
8615fe |
OCP deployed on AWS by default can use EBS volumes but it would come with limitation.
|
|
|
8615fe |
So one can use [EFS](https://docs.aws.amazon.com/efs/?icmpid=docs_homepage_storage) as centralized storage solution for PersistentVolumes (and our playbook can use that feature).
|
|
|
8615fe |
|
|
|
8615fe |
!!! warning
|
|
|
8615fe |
if you want to ensure that PVC would use the created PVs on top of EFS, instead of EBS, you *should* disable the `gp2` StorageClass (under Storage/StorageClasses, edit and `storageclass.kubernetes.io/is-default-class: 'false'`)
|
|
|
8615fe |
|
|
|
8615fe |
|
|
|
8615fe |
### Specific ocp CI cluster notes
|
|
|
8615fe |
|
|
|
8615fe |
Here is an an overview of the deployed ocp ci cluster :
|
|
|
8615fe |
|
|
|
8615fe |
|
|
|
8615fe |
|
|
|
8615fe |
|
|
|
8615fe |
Apart from the FAS/auth/EFS volumes, it's worth knowing that :
|
|
|
8615fe |
|
|
|
8615fe |
* we use [VPC peering](https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html) between the Duffy and OCP VPCs (see ansible inventory for details)
|
|
|
8615fe |
* we use [internal Route53 resolvers](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-overview-DSN-queries-to-vpc.html) to forward queries to specific name servers
|
|
|
8615fe |
* we use [Site-to-Site VPN](https://docs.aws.amazon.com/vpc/latest/userguide/vpn-connections.html) connections between VPCs and on-premises DC (see ansible inventory for ec2gw nodes)
|
|
|
8615fe |
* security group is attached to EFS to allow NFS traffic from OCP nodes (and so worker nodes able to mount NFS PVs)
|
|
|
8615fe |
|
|
|
8615fe |
## Bare-metal (on premises)
|
|
|
8615fe |
### deployment
|
|
|
8615fe |
|
|
|
8615fe |
### management
|
|
|
8615fe |
|
|
|
8615fe |
### authentication
|
|
|
8615fe |
|
|
|
8615fe |
|
|
|
8615fe |
## Virtual Machines (on premises)
|
|
|
8615fe |
|
|
|
8615fe |
### deployment
|
|
|
8615fe |
|
|
|
8615fe |
### management
|
|
|
8615fe |
|
|
|
8615fe |
### authentication
|