Install OpenShift
You’re almost there!
In this section you will create an install-config.yaml "answer file" that the OpenShift Installer openshift-install will use to automatically create your disconnected openshift.disco.lab cluster.
Installing OpenShift in a disconnected environment is as easy as adding three extra pieces of information to an install-config.yaml.
1. Provide your disconnected pull secret
2. Identify your disconnected mirror-registry
3. Trust the mirror-registry’s TLS certificate
|
We will also create an SSH key that can be used for debugging. But nothing will go wrong, so we won’t use it! 😊 Creating and SSH key is not required for any OpenShift installation, connected or disconnected, but it’s a good idea to include one just in case… |
The diagram below is a reminder that your disco.lab cluster is completely disconnected from the public internet. Aside from communicating with the AWS Cloud APIs to create its own DNS records, instances, and security groups — your cluster is completely disconnected and will install from highside’s mirror-registry.
Create the install-config.yaml
Instead of answering openshift-install’s questions via its interactive wizard, this workshop shows you how to create the install-config.yaml answer file from a template.
The template below provides the Amazon AWS cloud region and subnet values that are unique to your environment.
The template also provides the DNS name (disco.lab) that OpenShift will use and tells openshift-install to create a Single Node Openshift (SNO) cluster by setting compute.replicas to 0 and controlPlane.replicas to 1. Question, is a cluster of 1 still a cluster? 🤷
|
Do not change any values in the |
|
Make sure the You may have to Don’t forget to hit Enter/Return after pasting this beautiful block of text. |
cat << EOF > /mnt/high-side-data/install-config.yaml
---
apiVersion: v1
metadata:
name: disco
baseDomain: lab
compute:
- architecture: amd64
hyperthreading: Enabled
name: worker
replicas: 0
controlPlane:
architecture: amd64
hyperthreading: Enabled
name: master
replicas: 1
networking:
clusterNetwork:
- cidr: 10.128.0.0/14
hostPrefix: 23
machineNetwork:
- cidr: 10.0.0.0/16
networkType: OVNKubernetes
serviceNetwork:
- 172.30.0.0/16
platform:
aws:
region: {aws_default_region}
subnets:
- {PrivateSubnet1}
publish: Internal
additionalTrustBundlePolicy: Always
EOFSSH key
Generate an SSH key that can be used to debug / troubleshoot the cluster nodes and add it to the install-config.yaml
ssh-keygen -C "OpenShift Debug" -N "" -f /mnt/high-side-data/id_rsa
echo "sshKey: $(cat /mnt/high-side-data/id_rsa.pub)" | tee -a /mnt/high-side-data/install-config.yamlGenerating public/private rsa key pair. Your identification has been saved in /mnt/high-side-data/id_rsa Your public key has been saved in /mnt/high-side-data/id_rsa.pub The key fingerprint is: SHA256:ckekOIN4KHNRkGuhsUikBAKIYOvmJd/P6qOZXVpKy6I OpenShift Debug The key's randomart image is: +---[RSA 3072]----+ |%+o+. . | |O.++ . . o | |*=+oo + . . | |=+o. o . | | = . . S . | |o + . o . | | . . o o | | .*.O | | E.++Ooo | +----[SHA256]-----+ sshKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCYsg/QZSc1JhF5Xm/oNAatp4e1vMntVZwDfOACtezet/U5mAl/rW0bWhzajvQmPRSRgWA01acdqYcrgjqAR02W5NJJVfiIwLme6qiK4Ks+8/SuqEd2zHeAyTPFOoLm0jZfafjbm+lzWBEA3Nz7iXjPIJkiUmETpKH+wOP9ns1dhB/HbaWjdgbQB+s5bJ6Xd0IlXyDvYriwSCzbfFLVuOku64brkeZnBtYY9TjFMqV5iQCZrzOFTp+lUXD3zMrAZ5//AQlaUsEpnz+R2Jt8JnSdJ+4pKgaot6RfN7xFHE934WB89reNVv/KE45gPMsjqKeUSwhSXmFTOjyHciAYzz/58oXD1QXAC9JRNl3ndxStIpWyBjohxmLkEEg60LJjB3hSYLrJgSQMSBWDy+MUH0G6yy1BYFRMO0PvJAv4tuhFD4mA2NJeRrOMG/k2i8GRxZI1c2x/kNo1bUv8yYtMwxWyTuSDUlomK5dB4K0urhG306xC5Jp+WSp7RoDu8jGSbeM= OpenShift Debug
Pull Secret
Your disconnected pull secret contains the username and password for the mirror-registry.
However, the pull secret created by podman login stores that information on multiple lines.
The install-config.yaml file expects your pull secret to be on a single line.
Use jq to minify your pull secret and add it to the install-config.yaml
echo "pullSecret: '$(jq -c . $XDG_RUNTIME_DIR/containers/auth.json)'" | tee -a /mnt/high-side-data/install-config.yamlpullSecret: '{"auths":{"ip-10-0-48-96.us-west-2.compute.internal:8443":{"auth":"aW5pdDpkaXNjb3Bhc3M="}}}'
|
Downloading the OpenShift installation images requires a pull secret from the Red Hat Hybrid Cloud Console. That pull secret provides credentials for several Red Hat image registries, including quay.io and registry.redhat.io. The pull secret that gets added to a disconnected installation’s |
Add imageContentSources
We will be using what was generated by oc-mirror to ensure that the cluster uses our disconnected mirror for container images running on the highside system.
When oc-mirror is done uploading the OpenShift installation images into the mirror-registry it creates several results files.
The contents of the imageContentSourcePolicy.yaml result file must be added to the install-config.yaml answer file.
Use the following command to check if oc-mirror on the highside system has finished uploading the installation images.
|
if (test -e /mnt/high-side-data/oc-mirror-workspace/results-*/imageContentSourcePolicy.yaml)
then
echo -e "\n\n Looks good, go ahead! \n\n"
else
echo -e "\n\n Uh oh, something is wrong... \n\n"
fi|
If the check command said that something is wrong, please make sure that If the |
When the check command says that everything looks good, you can add the imageContentSources: data to your install-config.yaml with the following command.
cat << EOF >> /mnt/high-side-data/install-config.yaml
imageContentSources:
$(grep "mirrors:" -A 2 --no-group-separator /mnt/high-side-data/oc-mirror-workspace/results-*/imageContentSourcePolicy.yaml)
EOFConfirm that the imageContentSources were added to the bottom of your install-config.yaml with this command.
And that the output looks similar to the example below.
tail -22 /mnt/high-side-data/install-config.yamlimageContentSources:
- mirrors:
- ip-10-0-51-206.ec2.internal:8443/openshift/release-images
source: quay.io/openshift-release-dev/ocp-release
- mirrors:
- ip-10-0-51-206.ec2.internal:8443/openshift/release
source: quay.io/openshift-release-dev/ocp-v4.0-art-devThe imageContentSources: lines tell OpenShift that its installation images should be pulled from your mirror-registry instead of from quay.io
Trust the mirror-registry’s TLS certificate
Now that your install-config.yaml includes the location and credentials for your mirror-registry, the last step is to add the mirror-registry’s TLS Certificate Authority (CA) data.
Add the Root CA of your mirror-registry to the install-config.yaml file by running this command:
cat << EOF >> /mnt/high-side-data/install-config.yaml
additionalTrustBundle: |
$(sed 's/^/ /' /home/lab-user/quay-install/quay-rootCA/rootCA.pem)
EOFIt will look something like this, including the 2 spaces of indentation, when we inspect the finished install-config.yaml in the next step.
additionalTrustBundle: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----Review the install-config.yaml
Please take a moment to inspect your install-config.yaml file for the sections that were added in this lab.
|
|
cat /mnt/high-side-data/install-config.yamlIn addition to the base template, you should have sections for:
1. SSH key under sshKey:
2. Pull Secret under pullSecret:
3. Mirror Registry under imageContentSources:
4. Mirror Registry Certificate Authority under additionalTrustBundle:
|
Please make a backup of your |
Make a backup of your perfect install-config.yaml.
cp -v /mnt/high-side-data/install-config.yaml /mnt/high-side-data/install-config.yaml.backup'/mnt/high-side-data/install-config.yaml' -> '/mnt/high-side-data/install-config.yaml.backup'
Running the Installation
With all of the installation questions answered, openshift-install can now automate the installation of your disconnected cluster.
Let’s kick off your disconnectd OpenShift installation!
Run the openshift-install command.
The command below includes the directory where your install-config.yaml answer file is located.
openshift-install create cluster --dir /mnt/high-side-dataINFO Credentials loaded from the "default" profile in file "/home/lab-user/.aws/credentials" WARNING imageContentSources is deprecated, please use ImageDigestSource WARNING Making control-plane schedulable by setting MastersSchedulable to true for Scheduler cluster settings INFO Consuming Install Config from target directory INFO Creating infrastructure resources... ... the longest wait of this workshop ... INFO Install complete! INFO To access the cluster as the system:admin user when using 'oc', run 'export KUBECONFIG=/mnt/high-side-data/auth/kubeconfig' INFO Access the OpenShift web-console here: https://console-openshift-console.apps.disco.lab INFO Login to the console with user: "kubeadmin", and password: "*****-*****-*****-*****" INFO Time elapsed: 30m49s
This disco.lab OpenShift cluster will take about 30 minutes to install.
|
Please go on to the next section and work with the pre-built salsa.lab cluster while the installation completes.
|
The OpenShift Installer ( This means that |