HCS OpenShift Install

Automated Clusters for the Rest of Us

Wander Boessenkool

Installing OpenShift can be hard

What is OpenShift

  • Gigantic
    •
  • Enterprise
    •
  • Container Platform
    •
  • Opinionated
    •

Two ways of installing

IPI

  • openshift-install command creates machines
  • Waits for machines to join cluster
  • Configures cloud-provider settings

UPI

  • openshift-install creates manifests and ignition files
  • User creates machines using generated files

IPI vs. UPI

IPI UPI
“Easy” to use
Cloud Integration
Runs “Everywhere”
Generated machine names
Requires DHCP ❌/✅
Configures your cluster

$ whoami

Installing OpenShift can be hard

But it doesn't have to be

Introducing the HCS OpenShift Installer

A collection of Ansible Playbooks

In multiple parts

Two main parts

  • openshift_install.yml
  • openshift_config_gitops.yml

Why did we make this?

openshift_install.yml

  • Can install where IPI can’t
  • Automates UPI

Supported Installation Targets

As of October 2022

  • VMWare
  • LibVirt
  • Bare Metal HP (using ILO)
  • Any existing RHEL-family machine (abusing grub2)
  • Anything where you can manually boot an .iso file

Bonus

Can use self-hosted Load Balancer for API and Ingress on any platform

openshift_config \
_gitops.yml

  • Sets up ArgoCD on target cluster
  • Installs Sealed Secrets
  • Configures cluster using Applications and ApplicationSets

Configuration Targets

As of October 2022

  • apiserver
    • certificates
    • etcd encryption
  • branding
    • custom login screens
    • console branding
  • cicd-operators
    • Tekton
    • KNative
  • Authentication
    • Multiple providers
      • AD
      • LDAP
      • OpenID
    • Groupsync
  • Ingress
    • Certificates
    • Scaling
    • Multiple Ingress Routers
  • Local Storage
    • Add disks
    • Add storageclasses
  • Logging
    • Configure OpenShift logging stack (EFK)
  • Monitoring
    • Configure Prometheus
    • Configure Alertmanager
    • User Workload Monitoring
  • Default NetworkPolicies
  • NFS Subdir Provisioning
    • But don't do this in prod
  • OpenShift Data Foundation
    • Install
    • Configure
  • Registry
    • Scaling
    • Storage
  • Service Mesh
    • Install Istio
  • Trident
    • Deploy NetApp Trident Astra Operator
    • Configure Storage Backends
    • Configure StorageClasses

Design Choices

Ansible Controller Split from Bastion Host

But can be combined

Ansible Controller

  • runs playbooks

Bastion

  • Has “private” files (certificates etc.)
  • Communicates with VMWare
  • Communicates with OpenShift
  • Communicates with ILO cards
  • Etc.

Configuration Separate from Install

Can use configuration on clusters installed with other methods

GitOps Configuration in Two Stages

  1. A base git repository
  2. Per cluster overlays

Everything Documented

Basic Installation Steps

Prepare Ansible Controller

  • Install Ansible
  • Install dependencies
    • Mostly Ansible Collections

Prepare Bastion

  • Install needed python modules
  • Configure passwordless SSH from controller
  • Collect needed files
    • Serving Certificates
    • CA Certificates
    • Pull Secret

Write Inventory

  • Start from the provided hosts-example
    • Read the docs on all components

Launch openshift_install.yml playbook

And hope for the best

Basic Configuration Steps

Write Inventory

  • Start from the provided hosts-example
    • Read the docs on all components

Launch openshift_config_gitops.yml playbook

Push the resulting gitops directory to your git repository

Wait for the cluster to settle

Profit

Roadmap

Mirror Registry

Disconnected Installs

Better bastion prep

RHACS Central/Collector

Allowed / Insecure Registries

IPI Support

One More Thing

We made it Open Source

Download Now

https://gitlab.com/hcs-company/hcs-openshift-install